From patchwork Tue Sep 7 16:00:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12479077 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5F390C433FE for ; Tue, 7 Sep 2021 16:02:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4C159610E9 for ; Tue, 7 Sep 2021 16:02:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245745AbhIGQDi (ORCPT ); Tue, 7 Sep 2021 12:03:38 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:1978 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237991AbhIGQDb (ORCPT ); Tue, 7 Sep 2021 12:03:31 -0400 Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 187EdQXl026795; Tue, 7 Sep 2021 16:01:39 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=KzDdMYhzeswXIU+JmDGR/uvceM9RZfHu29/g4qBZ89I=; b=C1SX34dfduOz+7bD+e/cpTqJtn1Ut1WxHKuCdj0Bh/4cm+FwUVpdV6PDJDWKDB3QJG13 O//ahi1daDyeMYsOYhWfB7Fdwyr5AMWkZnFv0oIW++AYMecr9CTS5zMmSb/1CNIzVllW WPqBXZhSp9C6r+/r6jJxRvM4zbYULX9owTTOQdBwrNXqWF0sv2kmebRAvSnETNhaOHWe tEyaugxwh+TH630vuBc6So2HtmbK4OiW/wPjkAzUm6jJ4691hh7qc4zVeiHb/y3DZZze qesLM0MOiFnLWU7XzM0NW/iy5vcDIObpbaKgw+HAQeq7jmOBiWRvFWx03sYAjBFOQJs/ TQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=KzDdMYhzeswXIU+JmDGR/uvceM9RZfHu29/g4qBZ89I=; b=Fmni1mpWYepvRgZ8vLR0xEPRkEUZWVykcB7LMGknbAeVw25cGBrC8GMbTgBe2drO+v9l yQoBgzGuivv4hQQaMXmqeVs7Vcnhp4AoZa89ePaxBeyCx/g+fqIdUTsgA3F4q8M81cam dxUs1Z0cBjVyoubtMFX76s8iZfSPGqqbZ1ZCas0hKkwrNepAuSs7QHmauX56XoPFLWV3 +1DvhanKPWlX89lc7kgbx27hqbUlIDk6E7if9ah7vfEu7JxSzvqlhWNllY9mn9v4wQqA nozKTP1BuvXKVJsjWVyyMGfffUFr7AC12xRDePUArVW41c8FnleiFU7m1pZnPtYaCkvJ NA== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 3awq29jg0w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:38 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 187G0GTR134812; Tue, 7 Sep 2021 16:01:31 GMT Received: from nam04-dm6-obe.outbound.protection.outlook.com (mail-dm6nam08lp2049.outbound.protection.outlook.com [104.47.73.49]) by userp3020.oracle.com with ESMTP id 3avqte3cy4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:31 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JxWVq1kusJWHz8ermZZwGGfMUg7oVaSNhxzaAEsYQ4JlTAjAzm2TG5ssTvRXFLYiem0yjNWO+6amlul+VBl12nGHneN8h1ixgqvXTa4jz5wREX4SAuoXMVX9ZQHWKJPVt7U0zg3ANG55WciGqqrl/W0By3/RKGfSrfIip7nZVljTjckY9R7rd7IjDfmLNFnYB/kaybn/ngAZE6aKraQsxKobpmdgdYrksZAwdwKy82YQWPnr67aRAByOdyc7bW8tFHharnQwpcMITtsUhguEiY6BYj4/5/P+cP0E3G7PhIAeQqDFFHVwlYR1jZKzcMnP43zU3hwnDA+ZcDchhAyG6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=KzDdMYhzeswXIU+JmDGR/uvceM9RZfHu29/g4qBZ89I=; b=UFl1tnWgeycr1zNofse5QUJ2PCFtz8/8Jbp+MUATKFr5wlatHfT0QnJmJvBXFO92o9YN8vUftLEBDIJKNjVtAWYoyJyL8amRVINemTbo3vM+x6HRwMT62zOQT3uTmGqgeaR7Bs8OHpskF7mCFsH3//2mL8sCZiG//serOcpG+mfRCc2g5Y/i2ZJEROSyVQedCnL1+2UDe2Lj9fx3at57izjBysM3mDoCGQCpN12saGulnSQDHsjf9RCsM1YIDKDN3znHxl9Ct9lGsl+KGVRv21lfCeYaLBfpUqrci8TSRFoRP8uUwYkxLq6osmnkbxzb9Q6WFdd7GBZ6LALjj+n+2g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KzDdMYhzeswXIU+JmDGR/uvceM9RZfHu29/g4qBZ89I=; b=ng892xI8mkS2PCF8D74ZAtVbYB9I1iEh7lsKyM7sCVutGb6FkjzTN70zxop3uM6fxQAVsnrK5cqUjpnebT8WUhmLgN+yadtF8xU70RdRHaoMspwvIEF7d/crk9ZkNFciCPjOUJJupIuGrIblueGgSTwRs35ul4dg2cUyEoceIBU= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB4200.namprd10.prod.outlook.com (2603:10b6:610:a5::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.25; Tue, 7 Sep 2021 16:01:27 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7%8]) with mapi id 15.20.4478.025; Tue, 7 Sep 2021 16:01:27 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v5 01/12] integrity: Introduce a Linux keyring called machine Date: Tue, 7 Sep 2021 12:00:59 -0400 Message-Id: <20210907160110.2699645-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210907160110.2699645-1-eric.snowberg@oracle.com> References: <20210907160110.2699645-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 Received: from localhost.us.oracle.com (148.87.23.13) by BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.4 via Frontend Transport; Tue, 7 Sep 2021 16:01:25 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 6a65e98f-84ee-412f-1a4f-08d97218bfbf X-MS-TrafficTypeDiagnostic: CH2PR10MB4200: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8273; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: /UXTYPRzQ7KFCOWANg4PANPfX9oDm6FcupN3aFgSHN8YA7DQp6glRGxzkX09irPKk2aHCQJ/Tvt0aInuXLTBpRXi4daNv4TPhHafRDuT5cuyYznx0mgt/9SddOgrV6rLYYr0yVon0Yqm2XG5MXJQsclaSWXkTzJQoLpXtPWqlSDCBnYGofZdBO2cuofGe0EmJ33mnE1QqOSKSiqRZcK0NoDffP+PJX96s4YPcjY3TBYKtZkK4DRBBaEGebFHq0x+p5Q/crKZb6exYtKpBLTHrMXBhUB0G/5gCTCjTGFGMtzP1xszSe8xNF9Dc0bp4Tjd8XlINqu/HIgpmQpCOH7+pAyyytOh4W9ST2X1drx7CJVSSjtp+mGGhS8aK/pjkJVIoFrWPI+6BEsCy1XS/L5ye6T5MzcJsRPqTGu4hg1M8z+UjfJE10hBJnG0NxM7JwrOwJFD7F8WkLX9fezRc0ZiI2OXqgKmXEBtzeqBt7dBBTej5fhaJ88Q+Ro8GJEdbYTJznZqEyTgML0uFqjQmJj205UnK7XcvwtVhQ90LuKzKcDqRdZAUU7SNA96Xfwh+J1I/u5MnHZ4zacDZ0MtxSYOxTf6OLg5LQto3BlVFG3AWe7bEohlkCDkq54EydgMSB5ZhF3eLZ9jFl0qUeWUWh24M9VA5DhvZFuAQvKvDvFKJdsslRoF2n0QEOF4Q9+iPs+LbTk0ZpMX94yRI2BBV8JfRRdNB7wJRCONiCGbXq+d8OQ= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(346002)(376002)(366004)(39860400002)(396003)(136003)(83380400001)(956004)(36756003)(4326008)(8936002)(7696005)(38350700002)(52116002)(38100700002)(8676002)(186003)(44832011)(6666004)(2616005)(86362001)(478600001)(66556008)(66946007)(316002)(7416002)(107886003)(66476007)(26005)(921005)(2906002)(5660300002)(6486002)(1076003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 030CZV1xWF9rfOnZweVU+eKKdrG4HWUqDOyLLTJ/J6d89dPGUR321cF231LDQUoVQaQhqO+8k35qLhK1ev6+46IXk+ni4+7SzNDdeimHtZqgnGOqUB18kGph/7YxpkmdmuEGBrJlpFLHE9WKrBf8ZTwDJit9AoqkAZgwmORW4yby/Glf/Yl159XoNj3QGmFBPUw3QZW1ayoUdJGdXKkrBsTOfJLMu1A0/vIW+Tw6WqgjPtvSqWMMY4fuYfwIXjo/CAUf5iZJ3y/O5ViyalLiJCds2kXyU9+rM+C7t8nuHs1MphAmYuGzH5/35iBjmRVtsCMBgww/9h9NT4lPnNaAAak9zBNTC+3MbfCiYQ+lT+/oPXXOr2X+U9UqwX57cMRvu9fcQXdDvKv6OzaS3hzjXi4T/ICcwVPUlr82gnSAh33EfiZydQ2AbuU5b0xlwiZAxgKA5hGSJphd7qfK4zlJFr3VNeL2AUIoHjDIMa6/n5RKScLbtv/DKINkhAAhskMjtEzVoHwc/jL7uW6nilAd+0jryz3DoihsxvclijU0zsg12fxvqqsAjU9N1bcAqhA8ZzSP165ZTWxnkfFdCRtFiFsuPsktyXGeuC9M0Lk0ezZ7QNY1lEp3A+Ew9JARpmP8YpzFbfzwY5LZdKSZFGawYmfuDjpr12sDqtkNgjwICPS5yev83tpINYecS1dacTEVwY5sO3CyIo+P0JIcu4Gfp6iEy4oNw8BOSkxvPOrlwsWWa5Zs04d4mXHkjMry80f94AlHqhwZG8eqzjFgz/E7l5GSOK2KOLz3KMvjXcnnZfnwHbWxVAC+639sYh8SFe8QFR73N96/aaaYKGpxtznLvyqIsyhM1JFaK1c8YQDQb966I4PoH3M/xHt62D/6gbnScM819pyRh+JQuOj1RmNoSl6P3TUOxieQfhl4t/JKhEB107Rp1PqasFDJYEQAEukIikvRIE3Q3TxkgQJQZtAL45LGPPNGHuH/iJ7ucyVCYXzuk17gUl9oGZZqszLTAcFqg5uUvqaW4RvAzHXEfp6Ubkn0ZvMLVAw6EJqZ9Gm0WhL8lP2DUSwHRDPBknqAdl8NnzBzMM6cBI7310DSp6XFyoMNXLFpxX0/T6qxt7migY3L6VdvZmwC07h+Hh7cAq06GyP5hgF1JxInh+2DBPnuJKhnCh53zp3cHXURYE4xiaBUtsY3ARTK+yALthnJfRqSNTwA2f79+94qu72oqouq8okr5E0iA5d+rhOM17SmzGFL/3nDRXISsZlc7/1UA1wDZePD5sYzpd28TfzVk0INnDKn3CpZ4Oyp/PzrYCnHer4Y1a0x+YbfkT1SBebOVWCP X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6a65e98f-84ee-412f-1a4f-08d97218bfbf X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2021 16:01:27.3042 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: LPIBoiEXX1jJTdg+XyKNP55VVzifz/7N/tOkTIr1j0jQgmN8wbBUS5UmCF60E03oaSkOAzrZGlWjf9ZePqRRFg/2kB1tQUJNBsXlcgiWCTA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4200 X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10099 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 adultscore=0 bulkscore=0 suspectscore=0 spamscore=0 malwarescore=0 mlxscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2108310000 definitions=main-2109070105 X-Proofpoint-ORIG-GUID: suCbH4AdxMCNRgtAAlMJVlH581jZSUrM X-Proofpoint-GUID: suCbH4AdxMCNRgtAAlMJVlH581jZSUrM Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Many UEFI Linux distributions boot using shim. The UEFI shim provides what is called Machine Owner Keys (MOK). Shim uses both the UEFI Secure Boot DB and MOK keys to validate the next step in the boot chain. The MOK facility can be used to import user generated keys. These keys can be used to sign an end-users development kernel build. When Linux boots, both UEFI Secure Boot DB and MOK keys get loaded in the Linux .platform keyring. Add a new Linux keyring called machine. This keyring shall contain just MOK CA keys and not the remaining keys in the platform keyring. This new machine keyring will be used in follow on patches. Unlike keys in the platform keyring, keys contained in the machine keyring will be trusted within the kernel if the end-user has chosen to do so. Signed-off-by: Eric Snowberg Reviewed-by: Jarkko Sakkinen --- v1: Initial version v2: Removed destory keyring code v3: Unmodified from v2 v4: Add Kconfig, merged in "integrity: add add_to_mok_keyring" v5: Rename to machine keyring --- security/integrity/Kconfig | 11 +++++ security/integrity/Makefile | 1 + security/integrity/digsig.c | 1 + security/integrity/integrity.h | 12 +++++- .../platform_certs/machine_keyring.c | 42 +++++++++++++++++++ 5 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 security/integrity/platform_certs/machine_keyring.c diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 71f0177e8716..52193b86768a 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -62,6 +62,17 @@ config INTEGRITY_PLATFORM_KEYRING provided by the platform for verifying the kexec'ed kerned image and, possibly, the initramfs signature. +config INTEGRITY_MACHINE_KEYRING + bool "Provide a keyring to which CA Machine Owner Keys may be added" + depends on SECONDARY_TRUSTED_KEYRING + depends on INTEGRITY_ASYMMETRIC_KEYS + depends on SYSTEM_BLACKLIST_KEYRING + help + If set, provide a keyring to which CA Machine Owner Keys (MOK) may + be added. This keyring shall contain just CA MOK keys. Unlike keys + in the platform keyring, keys contained in the .machine keyring will + be trusted within the kernel. + config LOAD_UEFI_KEYS depends on INTEGRITY_PLATFORM_KEYRING depends on EFI diff --git a/security/integrity/Makefile b/security/integrity/Makefile index 7ee39d66cf16..d0ffe37dc1d6 100644 --- a/security/integrity/Makefile +++ b/security/integrity/Makefile @@ -10,6 +10,7 @@ integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o +integrity-$(CONFIG_INTEGRITY_MACHINE_KEYRING) += platform_certs/machine_keyring.o integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \ platform_certs/load_uefi.o \ platform_certs/keyring_handler.o diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 3b06a01bd0fd..8c315be8ad99 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -30,6 +30,7 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { ".ima", #endif ".platform", + ".machine", }; #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 547425c20e11..730771eececd 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -151,7 +151,8 @@ int integrity_kernel_read(struct file *file, loff_t offset, #define INTEGRITY_KEYRING_EVM 0 #define INTEGRITY_KEYRING_IMA 1 #define INTEGRITY_KEYRING_PLATFORM 2 -#define INTEGRITY_KEYRING_MAX 3 +#define INTEGRITY_KEYRING_MACHINE 3 +#define INTEGRITY_KEYRING_MAX 4 extern struct dentry *integrity_dir; @@ -283,3 +284,12 @@ static inline void __init add_to_platform_keyring(const char *source, { } #endif + +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +void __init add_to_machine_keyring(const char *source, const void *data, size_t len); +#else +static inline void __init add_to_machine_keyring(const char *source, + const void *data, size_t len) +{ +} +#endif diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c new file mode 100644 index 000000000000..948ec6c738c8 --- /dev/null +++ b/security/integrity/platform_certs/machine_keyring.c @@ -0,0 +1,42 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Machine keyring routines. + * + * Copyright (c) 2021, Oracle and/or its affiliates. + */ + +#include "../integrity.h" + +static __init int machine_keyring_init(void) +{ + int rc; + + rc = integrity_init_keyring(INTEGRITY_KEYRING_MACHINE); + if (rc) + return rc; + + pr_notice("Machine keyring initialized\n"); + return 0; +} +device_initcall(machine_keyring_init); + +void __init add_to_machine_keyring(const char *source, const void *data, size_t len) +{ + key_perm_t perm; + int rc; + + perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW; + rc = integrity_load_cert(INTEGRITY_KEYRING_MACHINE, source, data, len, perm); + + /* + * Some MOKList keys may not pass the machine keyring restrictions. + * If the restriction check does not pass and the platform keyring + * is configured, try to add it into that keyring instead. + */ + if (rc) + rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, + data, len, perm); + + if (rc) + pr_info("Error adding keys to machine keyring %s\n", source); +} From patchwork Tue Sep 7 16:01:00 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12479111 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A9817C433EF for ; Tue, 7 Sep 2021 16:05:03 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8AEC8610D0 for ; Tue, 7 Sep 2021 16:05:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343886AbhIGQFX (ORCPT ); Tue, 7 Sep 2021 12:05:23 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:29152 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343702AbhIGQDk (ORCPT ); Tue, 7 Sep 2021 12:03:40 -0400 Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 187EjXsx015634; Tue, 7 Sep 2021 16:01:39 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=/bL5L2QfTiQvQG9tQdISkb4NkQePDVJI1ArUkmtKVYI=; b=ljAhzluoXybPr2HsOmCEkJHOZkhm/iSpGSC3z2OLfYCYx6Nf+6Obx5kxd3mOuc4r6965 H3MxIm7XGQBq7uDUgwxsalAZavD9HZCXsE/rrMiNpjT0KNK7sF1h+UpKHvZjGrKLgl6L IqabNWRnDi3P8Y0/4w2pyyAzmz17SWHRSL6+NaIOjtc6Cs1eqG/9J8gb3IUjDo+9XIUV CTM0R3HtKAOWw5DjgaCiBtxXKTuP9CgZndDf4LgqVlb+OLa/jFBJyuErWcJZ0NpC/nfr fXuVZABLmizhh0nfc9M8uVpLKbemTXwDfaGbpKHV4tS4o5Y6wS/qLa0haRuQ85UnDzeC yg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=/bL5L2QfTiQvQG9tQdISkb4NkQePDVJI1ArUkmtKVYI=; b=sNjjNsUBSupEuB7s4oYuo9Juw3jmyICpeyMsphiP+QX6MYCGEzm6PdbMD8XQCysfCnaM 6pzlBLFHS1q6GiM32tn6zcLCesfBMKojhihb4VtXonGfXcpl0sfXb/EmAXXsT2jAO3Q0 oVobf/GQ7z0AmD/iU3omcA3fSYMYNICZDUxdJo35MK5mytIwuT8eCFIt9QDDVQ+KSxy2 J26dRKgDlT6yaUlFmmuGW8ZvQp+dofgaHOtqx1QvtacFcH3HDnXXTT7xk83e5m+g5Fww bqyfqAGnEHs1Z20yrHQsHEDlZsTqZD9c8V+EKueW6F111YNoQ+LfcAGc9ieuiMhKI9Mz TA== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by mx0b-00069f02.pphosted.com with ESMTP id 3awq18ae0m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:39 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 187G0nCC157575; Tue, 7 Sep 2021 16:01:32 GMT Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2174.outbound.protection.outlook.com [104.47.57.174]) by userp3030.oracle.com with ESMTP id 3auwwx4744-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:32 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QqZRSW5K1zg2KTRYHTXEFR9G+9JRJOtU6uy1bq6Ffrk5MEKyWTlh3sdEdZeG3zi/5jaoOs1B5Q9wg0mwuPX727V6Qn/p8eov9JWIPOOltbNU0rD2tdd3/Pz4OGAnB8kOdjytG+QbMfFn3dWxeMBGW+ZOO1UfoWY3FGzeKWZXLVuTpCo4JA7HUJW73xfxmdVqsMCoBrEjYa8NiFJEBmtrrFwCB7s565Hp1qMwoE/0SYSWRJPGitlEInpaRSTiIV6CJGJWp61/pxh0vRWzAaEztKdjfeIbfuMzhA02puKeK+MkuY4pYW6hFps1HVkHwzFVO+vWULGkY3cPiNzrboEOJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=/bL5L2QfTiQvQG9tQdISkb4NkQePDVJI1ArUkmtKVYI=; b=MYMew7jorX3HrHFXksVFuv6DOAFpaVJBvekzN49aBFu04uG9AY15CiO9r9Q80PEhUyngiimwTSxGmGEKzRFoVNRRD92R9zF2iJBehVbJqUmomJCWcNW2LtnVYOUENu368cYJRzr3opRwk5L1FkZdQYXA6lXiZj+v+U1TDC5fYqXZZu1Qre4EpNfukup+D8BgP8e0zW0c1r5rPrvBLhVrqjUSj2Nuhq4jKjB5/rx8KbdUcjrkw7DKKaVXuyf8Pvpo67OR1I3kCf/RQD/uvFGc0vpV6rUhQYoFpkC3iw+TS42JI7sCE+/tEp5FL/jg5c7s4zLBfYzFhS7dDRV6rsRpOw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/bL5L2QfTiQvQG9tQdISkb4NkQePDVJI1ArUkmtKVYI=; b=Xo/XiB1IljZNuaS0GT779Pd6+HXoAC26FIvCGgr3+oBYjJhUDV2ucm42wl201Et8jiaWVYvnVtSA4ZCKlUnPLKIb4uYBACHELoM9mL3Gqfv+MfmVsoZMqNbCDpCDTkiZE6pXvPmStY+om1qTwhlU6y8UZJoLk+hhbwgHj5rMD2M= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5004.namprd10.prod.outlook.com (2603:10b6:610:de::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Tue, 7 Sep 2021 16:01:30 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7%8]) with mapi id 15.20.4478.025; Tue, 7 Sep 2021 16:01:30 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v5 02/12] integrity: Do not allow machine keyring updates following init Date: Tue, 7 Sep 2021 12:01:00 -0400 Message-Id: <20210907160110.2699645-3-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210907160110.2699645-1-eric.snowberg@oracle.com> References: <20210907160110.2699645-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 Received: from localhost.us.oracle.com (148.87.23.13) by BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.4 via Frontend Transport; Tue, 7 Sep 2021 16:01:27 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: b375e3cb-52d4-49ef-2836-08d97218c127 X-MS-TrafficTypeDiagnostic: CH0PR10MB5004: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3173; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: rvIV9l5JRZKKJeaw19M0DeC0b+IYsKgVYHtILLpE+B4m5T8Cj9FkSjPms1F/S22FqWEFEXicRg9bhFX1G7U/HADm17ig97Q59pkzDlBvGIVhcn4FTY9bWIYl8kw5kTb4Hi9+QID54d8imftaMvHl5Qd4CO1JLK3kpBq90tdd5aB3/GeXpyXWno0NvAbrUbjX565b0htu5Wm/YPC9wCt3pOqnCmaMukzlfkIJfOF3eA19wNC7vVbV77EXV9cFjs3rWMmZyZmaHNZhj9g0tRmCDESURsXpDT1EYqg85O/1G4QjqgcqnPIR+QtWPdAfnnkjyWNrpB7C9zIP9Hiuityp0EPuXR9PakRiDhTSibV/mzV5lhVXMlC66jH5GwQgLR05mnroF2kZk9BPCzdvF0LOKZlSl4Mv0N868HPGC+7JqB2IC+jkvmH3x76CbvKqAHw+q5pbVAHtC/7ivMoCRtuSDHl6iZHP3U10sCVVzH82Ls+gDCKQ1VX/xzW1PPf1SzPuH8TCrrPwlfphez/2Mi3ZZNaBZt/yLMe/acBj3+lFKuTAZgeIDNos51/qZi9IlTkeOqsaBByakrZbx5cyIKrn2v9SQm0NI7murTzR21CvME5HnYY7UCzGXpd9XwTvteMtfQo35yqjFTQuyrVkpBAL0JXZ+zzbLIzhdsdvv3fs19d2GF7nYDuw7Buxy+6In4vxaZS6B+aeJoaeqm0W20fhhqQTON6e9+Xh0ryPxVtUAoY= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(6486002)(1076003)(66556008)(66946007)(508600001)(66476007)(8676002)(921005)(8936002)(44832011)(15650500001)(5660300002)(186003)(26005)(52116002)(4326008)(7416002)(83380400001)(107886003)(7696005)(36756003)(86362001)(316002)(2906002)(4744005)(956004)(2616005)(6666004)(38350700002)(38100700002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 6vyBe06jV0qNPUFhF5qiIyIDRdUR4KumJSsJ8hzrclf2oCElIIfLBqIUknD5aIqrFf5Z3icL0QGGPYvWWCAC4h+Yy9NvN8TOJ9frgfpLxLIwqG4kaOf7MGsr9xv+qcBnHvhCB4PleUJUsNI/80mC2sZPWH3eXE84Y+rhh39IcpJExOCSWUn+QOiyWfB/j8mw2lqEBpjdUZwkCd4FxN23HrhHF4nR2F591TH4x3AKQjBHO9eo2Ncf55lJeL7C+ToXTkY+6MJibwdn2zxrYoFqV9bBNtxhJUC45m+HobqU0Tr325JLW7G3UhED/2FFSjlFGDZ9+0yyv4QJ2QSW37ik3Fe1Wm689JldXo8k9m7Fsm3MWwVUskfI7tGFthr6l2DfBJRYjKs2nYONWjljkdztH64ZQ/DQt2f7FkZwR7+tlX8DzFCzF2Uklwp3ffOGV4C2KfqK9BTTvu7gK3Ngux2F56W33WyOXCN0x8X3Im1l8K4zddLtO8F9r2/ht5rudml5T7adABvNoJTC0QNRGZObjffkbP3RyTblFWRZrmd6dbTgdVV/oNFcziXyU2UJOPdVCVHl1mV9lnkWunDb62pjXn+RO26KBr9v7+GM0Iop06VqeHrKH4tj3V7YW67ZMw7VzoiYn5xtFLXtLFihgAoPHiW+7APUS9+qZ9qh6WHHemiQx+/CiXy+/W5gTeYwpyOE1j8Gadohyrn1dywECnbxkyx6Dg2bwFK0Ua78GhF0Ro2LzoImPkuFTisdLd6GG+fGQ83zmlVbksn3p+IOnFTf9aFmagsZRejvSr+nJO+hvlYsKsbYxtut2LxfAqP3+hUXzmRIwvP93vl3dmCmXjBdbNTmSQkOeLtFou9NmMFPFxz0nMg/e3ZJdWWfeqHxQ+WqI10FNj3FCBzNJtLxtrGHHmLKkClFtcbD1gdZNABAjk/DupKNTAMfwI6MCZKVApZVvYs/jcWopgCEh//QnhPuAaJ0rQQ+SpT3jSHrilJgtIygckXmj8dWqkttnjptMj+AkPIGRwtQEDkVoF99A0Bu8JLIXT1UII+1ALmumxqHMso3trIE6XNBLi8RdkdEpQQEoiWOQ4LcVH07H5CiB7q+Jjv/YO/RZ9YxRJJkSeoMezi4YWd3xA2c/brjhuc7umMAamvnpoY8s9CzR8aEH0XO8Qay5krWSAwpr0vmoZjl4md8520FyT+mw8TATslIn2e3E5M7RTnpX2vo/Q16bzKEE6uV1yblBhrEdtr3GKHNxR1nfd2aN0ewsA5/8XJs032nZXjwcp//dmqvcmgG+QRr4CPsVcAqXzCQd6IKGHANS/mOFGz1CIK2InoLMOdu+2z7 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: b375e3cb-52d4-49ef-2836-08d97218c127 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2021 16:01:29.8570 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: v8OGxQZ8ty4FMMmBuHe/nngC0+s3oRK2weo3PhKHeli/e2afE5Xx3owpIJ5vn1FYQIa0qP31VHvfH7A0HVx+Xr4asgJ/VRphQBR6NmyOgJg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5004 X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10099 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 spamscore=0 mlxlogscore=999 adultscore=0 bulkscore=0 suspectscore=0 malwarescore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2108310000 definitions=main-2109070105 X-Proofpoint-GUID: fX-FW3fAQhOMOVkidufE3Dh6z-PZE8TU X-Proofpoint-ORIG-GUID: fX-FW3fAQhOMOVkidufE3Dh6z-PZE8TU Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The machine keyring is setup during init. No additional keys should be allowed to be added afterwards. Leave the permission as read only. Signed-off-by: Eric Snowberg --- v2: Initial version v4: Unmodified from v2 v5: Rename to machine keyring --- security/integrity/digsig.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 8c315be8ad99..5a75ac2c4dbe 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -140,7 +140,8 @@ int __init integrity_init_keyring(const unsigned int id) return -ENOMEM; restriction->check = restrict_link_to_ima; - perm |= KEY_USR_WRITE; + if (id != INTEGRITY_KEYRING_MACHINE) + perm |= KEY_USR_WRITE; out: return __integrity_init_keyring(id, perm, restriction); From patchwork Tue Sep 7 16:01:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12479067 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0D6EFC433F5 for ; Tue, 7 Sep 2021 16:02:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E8EBE61131 for ; Tue, 7 Sep 2021 16:02:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244014AbhIGQDd (ORCPT ); Tue, 7 Sep 2021 12:03:33 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:43290 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234105AbhIGQDW (ORCPT ); Tue, 7 Sep 2021 12:03:22 -0400 Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 187EfWEM026869; Tue, 7 Sep 2021 16:01:36 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=omenrnPyFJzuQboJ4WQa5weKYz62J1YI2OE3yir5u24=; b=rY/uT/BRjMDWr88SRvweL4kILWzxYZOHOB8VFQIEOkx3DzbWL57FXzESBWdUepLSvImL ZDeBstJglcPbHkU8ZMU6WfycxcYUNMJXgtqYsODrLL1//0SgaAkems7/WSOHjFtfzFoK JXT9GOton1QbSXw0FYKZWM9LNCW+z0MGf30XSjbuLGQBgQB43+M2KachAhEISKgZtmO5 p8L9TFQNECUU5LvZoIXFCQeskA/on7pYFXXKh4Na5jON/Insj/6CMMVQJKBa3fbDFyvx J8Rx/qmFLLEmDO73LPJAjxzxEXrnFillNxvzpTFfsZGPIKg9N1AdH76P8g1OMsJbjn9j Pg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=omenrnPyFJzuQboJ4WQa5weKYz62J1YI2OE3yir5u24=; b=qvnJwZ2Y+nQW8LHEwvNXjXY/a9op4wYEndAhE9nkneOzF6ptuY0ynQ29KjJ7fr/61vZ2 pNSpVNCR/LYtfgp0uJSNtKw841+wypw4gtm6EVdHFgczvuREDJBJQk9AcYD4/4yqzPUQ zX3tDOaxqNEC8IHgNECyBIQUu+y1zSKC4tqqvzYKKp+S+CYpvYun/XbOuaaaSUXYKk0N 9TCeFGSh65sLqJ214/iCxySdC3oGJ+c4XQ+o4X48tWHnIoiG07ChVVIW/Xl3oOJM7Tnf 09r3k6l1+s66RWy+WuoX1d1hQXNcs4Z5MT0cvOi2nIfvjhaFNJyiSB2WMtQj84+dUaOQ 9Q== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by mx0b-00069f02.pphosted.com with ESMTP id 3awq29jg1p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:35 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 187G0nCD157575; Tue, 7 Sep 2021 16:01:33 GMT Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2174.outbound.protection.outlook.com [104.47.57.174]) by userp3030.oracle.com with ESMTP id 3auwwx4744-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:33 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oOaM80Y00Od6ZCmv+S9zW4DRl6pHL4ynAcpMvOaynIeMNi6kVqy+ochhsFhXMDIgevMDQOGKu9LDkMZmtrJHPxOC0sp4Wu0KKAdHWV+fDLJ295l/zhplH5JkiN/uRWPxN194HTDt22duCQZ1NYSE/fw2Czfhs7KPDhTUaugU5IrDpVWNmn1i/f9k0H0r75HARuJMhUPRrW5plFPIF5nnBaJnHnY2ApcR5I+H2oE8PIWgCiAq/9hEr1pT10OTIXTS4aOKIww00MBxP0YmL8lxEoBBhlR2RqjnytNQoLch13mshDoVlpAkW2r0telwD8IL1El4y/tmz7ZULXStuNtCnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=omenrnPyFJzuQboJ4WQa5weKYz62J1YI2OE3yir5u24=; b=i1NXGAOSNU6GypJhJEajgFSIiFbzDdCU4WpkPIkJajpNp6HqyQEinvpy29uU4EiMmQ4D9GVDBnh4fdb+yCHjv4NWUE6xBv2DAcA0nC0+R15BC67x2cYj8RR+hCURPLcORNGTnVYkDO0WMIKiAGzkPJ04QclLFggE/Kv8CvySrWhEoVyN4WEW4l1wCYT7b1h3zfLp5kVEn7n1XpXgHZCFNV6l9Jza/fHGNXk2trn1OeItdKdTkDAhQZbaeh+YvVfrxw2hnvOm6bquiNDhSM27J54VblTwKjcsauEhicrq+FBNIRSI1uN2f3QDhiSz8ATNNUXHmrQ5/wIiEDP7EB7sgw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=omenrnPyFJzuQboJ4WQa5weKYz62J1YI2OE3yir5u24=; b=YV0dmFnnfgFblI5hCmnvH9FikVyO6mhp317vicmdNavLZkn+48IbPKcq683ojtWsHntGtQ9vYEDlBhWonUogO9e9GdY5xKN9pIQO30uXWvZYikGtxk/BN/7dZGu+HUjpzYj13zv9wnVNEYt2bh6cbl5PmWrQavj5xzdewzamXZo= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5004.namprd10.prod.outlook.com (2603:10b6:610:de::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Tue, 7 Sep 2021 16:01:32 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7%8]) with mapi id 15.20.4478.025; Tue, 7 Sep 2021 16:01:32 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v5 03/12] KEYS: CA link restriction Date: Tue, 7 Sep 2021 12:01:01 -0400 Message-Id: <20210907160110.2699645-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210907160110.2699645-1-eric.snowberg@oracle.com> References: <20210907160110.2699645-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 Received: from localhost.us.oracle.com (148.87.23.13) by BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.4 via Frontend Transport; Tue, 7 Sep 2021 16:01:30 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 955692e5-70c7-4993-46cc-08d97218c29c X-MS-TrafficTypeDiagnostic: CH0PR10MB5004: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 2oyBnaENnsk6Jr4xgUuI+2odtrfV5HmUqN0g46eB1twYxi1FYDnGiIfrQqEN+pdaIRVrlkYRmZBMFiOUFwbttVHXXpspaqVYbtYNw9z4EMmRD8LOR2jiITDPZUhhxvZN4SzIEQkbei8EgYguYSMEYC3eBbDEfSik7ntqXLJlZt81Vc/EmGTb8HkXdvmWm+KmHCduwDvqlonh5beAlnjjkDPE01WVaeSCN4A+neaGmGgmAKj3kAoZm102SkuPdZTlLJdKsAVc2mXi+2S9se9qe+pMr5Gbb1bS4+DcAyvajf4FOCxfwc2LmbNiIvZ+Ew3ybQfurpQkvs5tYSL12H0khoGFwPih30+jJiRCBGIirpmDM93bEbBzkoyC/YnB3Wm9G/5g58Q+bCCeCszYA8ZZdhJi+c3bTk7I8fcWOwfWNsyQfppzNBlYGKA9YHc+KcG0iR1hKZ41I6PgdaYpL2V1xR12fPq+ZxMz9jyw6xVFWVEnFJED59DEvWphc7MK01nFqqQsHNZXQWVIyleO0Ff1tG2YsMfnJ8PrepfwnFn2WQwnkj/jFNB+AUThnQjdlSciv4PQmLd4n1r0ZqW9+DYNbHDgT4YhZ7/EQBYL/Q7kyEMBpqDIAFPjRS5WRkpSO6BiTR0v6ajMPvoRo585s62omqC46aw11cJ8lDOcymhO21nGLWc1MmKt5c0Pfzt+8HNoyQAINaw/16VmFS1KHB8LEldr0C3MZFPuB6WJSa/vQns= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(6486002)(1076003)(66556008)(66946007)(508600001)(66476007)(8676002)(921005)(8936002)(44832011)(5660300002)(186003)(26005)(52116002)(4326008)(7416002)(83380400001)(107886003)(7696005)(36756003)(86362001)(316002)(2906002)(956004)(2616005)(6666004)(38350700002)(38100700002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: qKBgfiHmz2ZAdTQ+WCO7vhnZxHAX16EbdgNxrH28Xn8sLKmLqyLgLGwdTnEpbDL2wqTUxS69+vChO3QjOr+t33ZbIjZg+S1SX/uMl50f8Z176v4oCMr+EN+P5Sv9vI47dZ/Vhxt3chzkaDDQ7b/gpzD0g4Vw5EsV6Scki1ln+hH/NsuTLv/k0EjDWI97S1gLjFdZvx8f40cDv99+1h7dh5NpnvfijaivzqQw0fDu82ncktkICRH1twd5TPUED2JTt8/0RpavLEW/hY/h5n7FE50PDKKAE0Xo/KsE2Vzteh8DYEC4pZD1ACQfR8kN95ddj1P4hRaie6TmuURikf6EtBGsBOjblsXjx2Z/6yeT3pNgHZwRz04ZDMreE5xDXKJTBIssoc9eN2hMwwid6eUz8QctoBTHUa0b02uOlOPT0nXETrw9Pho8h/nqcPUuvcNaF9pLkDGM+Im9X0ph8IrRjaEqD+aQSINrApNxm957HWNG0Ams82CnkIuujM2TDs98/07w/ToQ8EMIAbvn24JwKtIyjvqvqHxtqBOEfW4jBYriFmhtLyGiDvfMMRo91FxFlLBLfWI4g+Llk7IKc64SPe8fpVMB54YpIy9JA01bRuWT3A2Y6tAO5MJNxWExSivd8rWeM/WPcI1+1nSjXM90F9LGkAXr8HmjbmJxdnBO52x4kz9ZDpSffWgBB8xjJYZdeKB1Qd/Va/mGC399vjCqEnh4WchSDWSyuYY5k2ZHTk4HKE5sf8Z/m6oUejMWcZRn09/YE/a2iQOlldtTMP/3ryP4UKmFmiXPFC50jXRHnpmwjkRUJSKYW8ub3bFg2kUIChu4IjWp/GTAj2o5vIW6zk/Zg+TbMIsvZ2bKLp/7p2yQQK0snhJZvrzTXQpVeaZ8PzBhafiN9mFH9gWXDfAoiS0e9S+Bfh68ryEIrBiqP6aHjxpXJ7gCCP9wDGfYsL6p6m9yEB4QYGgHM9+Z8krZvuyzo2yOBbUaWLQ3rtGzPPagB+THSAVGKKWKiAXcAi0dnXlYI47sMgzVOTiONC5VsqEbwcFt4wVNvid55Z64UgWwPJHJISQiqntt3OpT+vv/y/6dFHo5PnnJodRN82knPJCuyyeL2nFwh0xjPT9eO2BS/cU7Zb9+mdFfop9x/n6kGMgmh9AMCiXJC/kZETJLdUHxOITkIDHWetdOruLEWjGYnRrmqc5+mOnnn7whjtANvVyz8or2cc7w6lxJjIXwgyzZKY+rySSjq3lxbABmSppeKaSQyqo/d17nbckj4IE3YwOzDZagnA8KALOpHrUcJrU4zBgYF+wyeHPmbgplEu3csAs2mAP4H5RXk24DhNJu X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 955692e5-70c7-4993-46cc-08d97218c29c X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2021 16:01:32.1460 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: FaNAOGqJuXkfuctgpKZ27ovMEFeek7CHl8+UbCUPv7+D3fjkdApEoaqgVCBznyefjfBzipkXHXLm8mAiLIgZ46TjmWqfeUsnRBXv59w+hlA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5004 X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10099 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 spamscore=0 mlxlogscore=999 adultscore=0 bulkscore=0 suspectscore=0 malwarescore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2108310000 definitions=main-2109070105 X-Proofpoint-ORIG-GUID: yfEk3tI65pfSErNx9UQmWvqt6AxVjphE X-Proofpoint-GUID: yfEk3tI65pfSErNx9UQmWvqt6AxVjphE Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Add a new link restriction. Restrict the addition of keys in a keyring based on the key to be added being a CA (self-signed). Signed-off-by: Eric Snowberg --- v1: Initial version v2: Removed secondary keyring references v3: Removed restrict_link_by_system_trusted_or_ca Simplify restrict_link_by_ca - only see if the key is a CA Did not add __init in front of restrict_link_by_ca in case restriction could be resued in the future v5: Unmodified from v3 --- crypto/asymmetric_keys/restrict.c | 40 +++++++++++++++++++++++++++++++ include/crypto/public_key.h | 5 ++++ 2 files changed, 45 insertions(+) diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 84cefe3b3585..9ae43d3f862b 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,46 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +/** + * restrict_link_by_ca - Restrict additions to a ring of CA keys + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trusted: Unused. + * + * Check if the new certificate is a CA. If it is a CA, then mark the new + * certificate as being ok to link. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if we could not find + * a matching parent certificate in the trusted list. -ENOPKG if the signature + * uses unsupported crypto, or some other error if there is a matching + * certificate but the signature check cannot be performed. + */ +int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key_signature *sig; + const struct public_key *pkey; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + sig = payload->data[asym_auth]; + if (!sig) + return -ENOPKG; + + if (!sig->auth_ids[0] && !sig->auth_ids[1]) + return -ENOKEY; + + pkey = payload->data[asym_crypto]; + if (!pkey) + return -ENOPKG; + + return public_key_verify_signature(pkey, sig); +} + static bool match_either_id(const struct asymmetric_key_ids *pair, const struct asymmetric_key_id *single) { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 47accec68cb0..545af1ea57de 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -71,6 +71,11 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring, const union key_payload *payload, struct key *trusted); +extern int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring); + extern int query_asymmetric_key(const struct kernel_pkey_params *, struct kernel_pkey_query *); From patchwork Tue Sep 7 16:01:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12479063 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32883C433EF for ; Tue, 7 Sep 2021 16:02:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0F0F461106 for ; Tue, 7 Sep 2021 16:02:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234165AbhIGQDW (ORCPT ); Tue, 7 Sep 2021 12:03:22 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:39438 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230094AbhIGQDV (ORCPT ); Tue, 7 Sep 2021 12:03:21 -0400 Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 187Ed192026809; Tue, 7 Sep 2021 16:01:41 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=99RmF61xiwN70SP8Y2RqWevSANjcjpX0/lMaTQ2DO+g=; b=HmB7Vik1DffP97QUiScfpoEXUhyt9zWeyZ4KyLnAQu8UTXtlI+S6WpkPUSZWFlXGM6m+ CwOJy05qDLf+es3cAqZQkAeQvP2x20di1DIkYk3f6+qqwdplqaYnt0FU+yt/EUvAXGdA eNP9YUUd+DH/WEzBybAAVSwDXfvAp9u43JV7wEW1QVCMfnh3ZmeYacczW5xj4zlgt1gb bdCZYePopnnm/CNQve4ORSouYIaaTrIk6HVpDZsYY5Jrrv/Jg/VMIisajQl5C79aQpLg P585J4bJKCMwyr0XOU6EdHeQ/SKl0iBb+ibuufKySl7G9KPb4Eyg45zPkwU2GRCzZqSw ng== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=99RmF61xiwN70SP8Y2RqWevSANjcjpX0/lMaTQ2DO+g=; b=GYfM7CZ3VtaOiTSdaEytSXCwMPUFyTY1S7V+w+ZD7PKzXOGnKWPdE+32Avzzcccl/v71 zNQDRefVjI/Ra0I7TToGqHN2VPcHI4L4V2h3Aj5X+2EXqIL5DxJm3M1nSNo4cGx+8ua7 s1hlm3zsICec5kdvLmjq8Y8OP3P4+pDXlRSCRx1qU+1n6yEjcOqvPRoGhKbxBHqwEg2M zSX1s0M2o6lhwo40LHSxE56/Ta/OhMOu/trgA9RsjdO+oI3NCNNPufSTn6QV/pYx7JBm XMXUwkeJHrhYQZrPue0U74QHBUtp0CrJxYN7qPmXCuNl6YciEA0TtcKnNgH9efT1JAjH xQ== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by mx0b-00069f02.pphosted.com with ESMTP id 3awq29jg3m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:40 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 187G02GG185804; Tue, 7 Sep 2021 16:01:36 GMT Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2170.outbound.protection.outlook.com [104.47.57.170]) by aserp3020.oracle.com with ESMTP id 3av0m4t4kv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:36 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fUkVhQz1UfW0WgYrvYkO4ktYCCtrbGn260QZko5B2jKXOE13b1dSz2R7zufcYYdqbD/qKfQ+prvG/HcMJSdj1p4SyXqfoqFpzinlGXa6oOsEfF6wYWTBS7LqVYhks6O+ZC+spQxc5A0PXYgfkFRqBoVxxV2tDhW+f98QE/pKiYqT9ZqlzTNgaIdjLCnjuQPdbx4GV+vmhbRz90k4wbjy3E+qYIBS3jlGoNWrEWjRgo/s1gFTDO+VV0l1BWeta/QAkXgVHneuF5UJVQOH5grdsGmynJ0OvJ2ZnnkIDZyqcZVdtCcqBViBkXQd1chRHxq5ivLe+clE/3TvdYlMlvTxTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=99RmF61xiwN70SP8Y2RqWevSANjcjpX0/lMaTQ2DO+g=; b=WPquwQhAGJhT90aE99ZOePeNQoDeaBNLkOnkjSdMrwP9HJbag0INafpcD2S2mq9EzhIDqNT8Qrsy/Xj5MWaZ2JeCg/Y5A2PRwk09wPeZ7ZbOUNXQW+parRm9fIcXnKqBhxnxHK25a+Rng7SdMX7BW9L5Q5ajGCQ85hpa7T4bOXzynEhWv2p6ceo+CxjzKTyqcZ3NbQEZRjlNKtYQx5DQWAPmwXtUEgP4D9pyh0bHsFYnQyKz/n9j/X16JPshLvOqOv+fE2K5Mzn/q2pUXzhAuKL6XtZasIxNidEIBXXQJY593l1g2oo856Gfwk3svuVFZHkfvesWmgarRc7A23fpSg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=99RmF61xiwN70SP8Y2RqWevSANjcjpX0/lMaTQ2DO+g=; b=KyF2hCcKkb+5JUwBX1/ahE+XdmVc7B6nIGGdfpFScNeeSYJ5XWF9WNVOQvEF/+6EzWegBryROO6B6D/ITnXaXxbl8Iin7w03KVuK0z2cnxAxMFm1HEBWMhHbfNKeo5q6a8UkP/rqaH1OY7yn4wbp9dbUtjU/lfMV9lFrQtR82Gw= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5004.namprd10.prod.outlook.com (2603:10b6:610:de::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Tue, 7 Sep 2021 16:01:34 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7%8]) with mapi id 15.20.4478.025; Tue, 7 Sep 2021 16:01:34 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v5 04/12] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca Date: Tue, 7 Sep 2021 12:01:02 -0400 Message-Id: <20210907160110.2699645-5-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210907160110.2699645-1-eric.snowberg@oracle.com> References: <20210907160110.2699645-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 Received: from localhost.us.oracle.com (148.87.23.13) by BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.4 via Frontend Transport; Tue, 7 Sep 2021 16:01:32 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 9a2e6cfc-0bec-4988-1a18-08d97218c3fe X-MS-TrafficTypeDiagnostic: CH0PR10MB5004: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3383; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: nYH5pbIaF5Mb0r9wBPnLGZgfube+F32rl4vAnEV/OkkydUeaCYoLXEwNhpeS/Fa1A7BcZHjobcMtUYRGyFxzeLNckA2vi7OeNMfXnROwu+tb4hwVEA4zYQWkAdzJ1t8Nf7CIYhL1vEV+nBfXTIuyVhjBRhVQBW5JxGAyFzwt1l+t4/MlL+SrlU+z6DB/o5usey7NNDy7YwqsKUhYbqU0ZRxYwlepQKvTgYomUMvSLxUPeDRmqtLQGAHdr06pTcpCp8SRyhlCrfKQa8K0NKy1istcMf8eOSz5wJgasxy0xfnZ3SKxEzzfo2+KyrV9NA8k6qZzGqTM/ClPxrfVvabyPDmb3yfy024R+Kme2FTzytC9Ibl3nW9eELEhLFT7bBDQ+xIIkxO129JnL0dUXQ9/7FMApWbrxcbYSPvpdAkyGHY0/hHUscsbaMokI/9AZknyncUYrjrUpTHt8QTQIImP9jwpo/sQoKdqdewYN6nFtlqtVzgUylLC6/VLFqa8uBkdBHC2l5uECQ3I5GbzDMa1d2hdDcKuXbFiJQ7ys3+F9Jyorgr7yEB418MYQoYu4ZowjvRev/GqWwiaHja/bGMBmA5W0BWlOjU0WDYCH74icu0wRgmBN1XFG6IRh3P7PPxhhn6lbJnSIjSyFr+KzatIbsZB2tvnyNn71A9fsKuOtYMa54B5g+SfQEFNBEOFlpO/B4v3StQ7JlXafoJJT4ToH7j0wiDof9rXi5uQSQ/9ruU= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(6486002)(1076003)(66556008)(66946007)(508600001)(66476007)(8676002)(921005)(8936002)(44832011)(5660300002)(186003)(26005)(52116002)(4326008)(7416002)(83380400001)(107886003)(7696005)(36756003)(86362001)(316002)(2906002)(956004)(2616005)(6666004)(38350700002)(38100700002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: IyfT//brq4EhfaNJZoy0UTutYzn4FvguGjcux3H9oi8hgwFsEoBu0q9Gf6yYfryJDUIqWmckl9mcns1maoCeO9+QF7SXFJg5J3SwpBCuzTJYKO6kkCSZAcDUkIg8aORo/MsUiVGQNbiwBloRld/pYGEXie/xFfv2tJoNOVcgpNBIYh4WuxvU7+FyOX+9SJtv467wvto0+6sEYI/tfOrSU3fOnmca2cgCH746xN6lwZ5eUv/q6X/crMy2YRAreVyQOZvJgiIaxqZF3FOe1VjbljKRY+mZC/Q94gHUFXmwLHyV+mZp5kIpiK9a1smdtZyrPhhbJ3FaftfHXpeXGAjS37uLuqQD3wltg7aqIB/R79pTIBYG9+9mgasKNAhoeTx+xaGEYV/Enh0r5xreAKX4arGZwVA/Y+1EmKaI9zMXY7hHVskOOExo8mxdDEEETErNDjyfBSLj35Rc3irWNJFLmzEZXvqpFDIWjGaRDsHoCso+gUtk0clsUiSBVd/ihTuqeqen6XIoTsZvP5wrRn+qXMylWNDmCBcmkKIMp37yLPx5lfiOGOXvKO3lIT19r/3Z2Vkyj2LlNAKBJKt49kNwCu713lISDNXI2SiE+c9OKTUOJPXkBVEVnnxN9+d+bO8m2ku7SqT0mmRqYUKPDr7u5bQLK1OCotf9irKhafHKd5K0sIOidD9ugFrU9NMZTn/AOB5fGbxqPK/NHWnt3vfscRWcuhjiDzkQlrHuIbW89znSkTmaeaHOp4iDMme/JDdJIYVlLsqfYz1EemZsydHpXZ5M3yXAwCIyeNloMrQCCi5rM6mA6PNUw3K3mpfI+X22DAxaFzCYeuJwWWFpKL6U+i9pMEl3DqQPSHC2XsHOv+xH/Tb9VI3rpWE/iAOvau0AzIgTPVGWi2um9C7599W5c1dTdk9dJetlrdZM6gtRP1u3Swbtj+NXZK2cqBEM5Yp1m437u0NmB4jlbYV6JPo16XMExO06E7Z4joFHDSG8ZHTNcpV49B03VrVpkkVOAMRJW72iJCjSDN02TDJVyNdOhRbjmIrucB/GRq/SeZsBaVe+YyOWZ0rW9psAWSDEQZ8Pvc3qVL7oHbPdzrv1dPxh+w5Um2ZWubSuhGnuLtoGKpmnKfU4rwNw19ocGyADuzpUcbCVjDqE7YaLjkxCQLjnk40zj66vlTMcluZAoPvAvYqVtRyduZC1JEMpvHf20dtlb1qkIYSZKSgcMw6vpB2JoMDp/fg0Y8L8uT6uv87kNQyKvizT8h1jHGT1al1vYcnPinaj0SMquO8qkaCJLzjBB/uWMqxIUFenq7TyociRQl4lgTCrwc11igjr9kdBF5DA X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9a2e6cfc-0bec-4988-1a18-08d97218c3fe X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2021 16:01:34.4379 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: dVvG/85/wgny6UG1uu8swgwyCvpAUz4j4V4WOYKcZNdgIrxTwHVfRwpl5XVE3SWJH84B5IhvV7QeKyraeU40r3w5aBv2oNhOS3WH891wzRE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5004 X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10099 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 adultscore=0 phishscore=0 bulkscore=0 suspectscore=0 spamscore=0 mlxscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2108310000 definitions=main-2109070105 X-Proofpoint-ORIG-GUID: kDXo-ig1ZXN0_pIdmjsi1LTXEUj6YUoS X-Proofpoint-GUID: kDXo-ig1ZXN0_pIdmjsi1LTXEUj6YUoS Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Set the restriction check for INTEGRITY_KEYRING_MACHINE keys to restrict_link_by_ca. This will only allow CA keys into the machine keyring. Signed-off-by: Eric Snowberg --- v1: Initial version v2: Added !IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING check so mok keyring gets created even when it isn't enabled v3: Rename restrict_link_by_system_trusted_or_ca to restrict_link_by_ca v4: removed unnecessary restriction->check set v5: Rename to machine keyring --- security/integrity/digsig.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 5a75ac2c4dbe..2b75bbbd9e0e 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -132,14 +132,18 @@ int __init integrity_init_keyring(const unsigned int id) goto out; } - if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING)) + if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING) && id != INTEGRITY_KEYRING_MACHINE) return 0; restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); if (!restriction) return -ENOMEM; - restriction->check = restrict_link_to_ima; + if (id == INTEGRITY_KEYRING_MACHINE) + restriction->check = restrict_link_by_ca; + else + restriction->check = restrict_link_to_ima; + if (id != INTEGRITY_KEYRING_MACHINE) perm |= KEY_USR_WRITE; From patchwork Tue Sep 7 16:01:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12479071 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA952C4167B for ; Tue, 7 Sep 2021 16:02:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A230661139 for ; Tue, 7 Sep 2021 16:02:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244800AbhIGQDf (ORCPT ); Tue, 7 Sep 2021 12:03:35 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:51244 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237489AbhIGQD0 (ORCPT ); Tue, 7 Sep 2021 12:03:26 -0400 Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 187Ecusx020831; Tue, 7 Sep 2021 16:01:53 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=ufz2sfBLbR/UiAzULD7ynfpT7KVfE/uQMgiFsiYiyUo=; b=BA4Q/+DZj3BZHJCy7F+ab3Mwzw3NzmwyeEhTKHDlzne09aSEpqFP/zvMeTdAVOF5yCt4 i95AGO/S70hiPbdJi8d4XYUOYHoTieuYMmiUr4WIvZSeA4bhRB6aO8d3bbwzSW3mXPRd Hrap9bS9wzewwVLKBb7dJY6+r1ivjbUcXUpNN9ua6l0+SRczl7QueLlAIMMlAeVmG0Fa 31po52tfy5dh733txzkeszxb1a+dWTCXDk/SiC7HSwbse8q4N362CWa/v1xd4qmiu+8m o5hOw6MoFQcav8gv0s8b2E8GILfkHKspSQxCuztEyemQ0TY0ajRSHmkU75ACi/9rm8oQ Jg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=ufz2sfBLbR/UiAzULD7ynfpT7KVfE/uQMgiFsiYiyUo=; b=LNC+03yavZxsPdhf1N8Wpz1MpbXvrkOYxfOsWC3PaN1t7GcJRqo51xucOY3e28TbRWdl jal7GPyHRJK/pYpHalug0y51mjVboXZc4Duhm6IFfkBHEP4lW607tGQkwxJwuMAXiGzk SBtJWk6rgUjaW67Jj8a2sw7tBcHzBmaOrZlnSPsi4aLUnuVvxDmUGATZtKBEOYGS78X0 7aJu3nNwasnxQPaRIb5B6Qi7hCe8pBGikzpOb5cWmOaAUleH7txvER4eGa2qF3P/Moxc L8CX7475ieL34hdCZ7mtIIMgzm1Az7W3C8ENzyZI9F1uvkW1URlTYMbiWSVMkExrTjCi WA== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 3awpvnagx7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:53 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 187G0GwH134787; Tue, 7 Sep 2021 16:01:39 GMT Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2175.outbound.protection.outlook.com [104.47.57.175]) by userp3020.oracle.com with ESMTP id 3avqte3d9d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:39 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JrzsDZQ1mE4yuJb5MrWoL6Osvzg2imW5F91rwQVp3XXRKBgHJy6OaxeQUll+id1E7wmtmLia7Hxv2MKBVYr24u6BQq9lxSWjMMuGnuXNNeKJRhBsyCIl+in/5BEUd0mL/+DtvrXuGDQr5Hd4qgfD5B3sX/Yn7wHWtjdPphRcTTfK0k2rKcexuNERg4ayt0WryNHRRW04LoUgmdRY7K3S76NHJK90WeALXZsejKpxh9IeE3mxJAxFxo7/hoI6K38rZDn11zmMYqVT5A1CWjTicI88gT+6QFKH86cYN7F2ttw3CkNtRKFEYp8gaykly9iYh/gw1eWnX5IaTMqAlt4Pwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ufz2sfBLbR/UiAzULD7ynfpT7KVfE/uQMgiFsiYiyUo=; b=L5fh9WlTXXmI61F6n+R5sQ2MF3Dm1+eugUP07aq2waCwKVM9B3K3Nj3yWRM2I/1TXrRQuo6eSj1O35DpsYQUman04o+OVUxDjx8wm54SzX0fin+wSoYQBwdK0KY0Uniu9MFRQwMBRlQmaNvufHOblzmWt06lcNbQRS6tEUMRtlNmW1+o1R1876UD1D/ye2cBrAwzj49bcWPHMXc3aNi92UfegLTnVcJmHLWZ56n9bCHvTqFBuQy//aTqnN50yXpJW73E1xjjUa3HKJ/haTi7z9eVuympnPyMPmz+e49Uux7HCLBBUaOKe21K5gpxzVjCCT3R6lpV3RoLyiMlJ4SJxg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ufz2sfBLbR/UiAzULD7ynfpT7KVfE/uQMgiFsiYiyUo=; b=0H0OdfRuJtiLXlDjHZBweD0Y8r5izgMLhH2zn4ugRWcHmiRgOEA+W6ikx+GDukUoea6EEDOe25pxkEi7ESlOPhGboi6UQdqkwNh5+TO+Sl/QD4ZoCkSRDtucO42MyDOjcIh5rTesBfX/YEnCZHZV0m80kBxZXChzFiKslkI34jc= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5004.namprd10.prod.outlook.com (2603:10b6:610:de::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Tue, 7 Sep 2021 16:01:36 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7%8]) with mapi id 15.20.4478.025; Tue, 7 Sep 2021 16:01:36 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v5 05/12] integrity: add new keyring handler for mok keys Date: Tue, 7 Sep 2021 12:01:03 -0400 Message-Id: <20210907160110.2699645-6-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210907160110.2699645-1-eric.snowberg@oracle.com> References: <20210907160110.2699645-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 Received: from localhost.us.oracle.com (148.87.23.13) by BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.4 via Frontend Transport; Tue, 7 Sep 2021 16:01:34 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: aa575a8c-0930-40e8-1db3-08d97218c557 X-MS-TrafficTypeDiagnostic: CH0PR10MB5004: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4502; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: qyos5pvTwPkRkBNLXTxj4vsdp43RBh96nnEPHk2q4luvgHTw74DVXNpVYZ1vgsS4XlgI+h31G29h44kDxjpzOJuOlhTwJ+87Vi7Xtyr3R75qGAXC5VujR4EC/KqXDcBHZVp+VoHya9Ryon7hrpCFg27gOuUNnlvCNga1uw/5wBC+F33r6ttHoivZ4T4DPNECSp/pBKO5MrKRhja0ZtnncBxAcdBdfomIfSMuX7Bc+uRZR8RfeBYcNFXtzzLRtV+Cy0KQY4+C9HRa5cJXNzom3GJX7xoSrDZW2k7kk54ND05nHh0t631FmhBOw+bN1c6ZCzRF1byFmjA+TAulv1MrpFLP51mwbalZcygoveD7ePKKbMDlRQqCO6Hmv/H5N0wDvHW/FyCEh67ikS0bgWkHo+c36qKos9z6R+0a8GYKXS64++BAb2pYU8YoiuVzMYqBARuoDq3bZvM+k1GBiL9uLZ3Vj8EVCMUzSUuG0dAyNNu48WcJFF2b7MLBlbNkBKg8BoSJymRWfLf1b92pCd0Y1yy9/dkF3fvFawm4+2mDfeAqf6/8YvGuFqbXO7CuS723H1Dl0fBbM+5JiaLgJGb+LjuvdW4t9c4z3iHDvFabPmqSESCMgyPbrMwZI10Ca/vcjPBIUeDWrncs9rk68h56bWoNEjARaSZsdv4rydXYk25zBeBENrMRrj5eOsvjobrvgw1auxnGIuue28I3G7YTCb3+7FvYFPc+XpQA+WmbqB4= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(6486002)(1076003)(66556008)(66946007)(508600001)(66476007)(8676002)(921005)(8936002)(44832011)(5660300002)(186003)(26005)(52116002)(4326008)(7416002)(83380400001)(107886003)(7696005)(36756003)(86362001)(316002)(2906002)(956004)(2616005)(6666004)(38350700002)(38100700002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: G8cVHAgJV/jASY8AQKh80ayhENzCT+s9eDi5KUnwOqckXD2EdTN/+KUDz+DKZFKyGjSr0/yJUixHLou01DHu9fkCouHVmTZdeK9esc7sFVXtklqk41zu9H0AOExLDPYaioKXF1fZYspW0AENaLNKkaBiPGR0HRlnE0+O/n38MXxIa3RexOflUXYg6AWiHjvIyedWg9mSkHPphrdZX80/pl7TX10d81aI8cPgggUxQm83Kx0/uowiO/qbnPBFYB6vTYhIWyQ65XL/e+So2me7gp7YVmNiGxexYSMQ31JfJVsM61lORdijDBTy9RLsrrheTlDR8jvYSpogiAAjr2J2qEHsCHqPwIM1dqgMeeCVupm8j5eDM79S1JyhccLHfuHL/oQaJtgDSmRlmKzc+aGAyoTfv4rlLKBufvzoIFDSBR4I5FI5mtOOIpwbi3sePYRIbBTeg0zx5GD/B5y8BtsgJJGcuwt9D1GoZBNuz7DzxmFzIk/cihbOlurUtw7YMSKLhWdT6BGeI9hVJMLdhWnKhIA6RDhKlm6frpOzfbCkIJYAwv+eCHEUtUcbN/Dy14KWxmnubXRZyCu8w48bVf6Af9VOSuLA4Ijenb6JdR29QMCsyhg0iAxM7z1dFbR6TZr9eGZXrwV6z39uJG0Acdi6axEDZCTk0xldU77KBQa+emCHZXDpo7S/16stv/Hjwf7YT1CPxh+/vujrD1WigeNrFnwg6YNc1kwgxKM/ic5kWChIX5On9wb6Abk29oIr9P822Qi1RHZRJZBbkfF5AICG/DB2VrMa/ahGxUR5MpEmC5CZSJFrmnot2rErUu+11qHt4xTlj7bqaE2VLXnzgjd3m6XWIIyuEsqMXp+d8kUp5C4KZfbTvX8a/wSQFKv9EeWQ+37WQGt0oSNGc5CxhBGU0yrN/ZwNfS2BWvTN57P1OwJ3xcpE0Ip6/bUWE/1FU7RKNUM5qXP0SBvgBx12QynckbqDqcksHWi34sBJNw/Svu/G+bZV1ye7FSmB4Z1OOXzxMgXM532i06tTF0Y/CTiTW0+B0TILsUf6UVr8M3Olz8Od7nOSIHFYcatVRiILBQ3QZhy+oS4oMfE6TtDxue9qyN8RYwE156nl63Lf9dXKPLYH0wIRmWt+RaqS5KeyQJV359ONoOHZmuBc3ONuJsvhATSPCV7PaKa/IVA/joLczyduhYFc9dA2zenbD07Vc7VqYf8wX0Q5esyXlvu6qSWt1ypbLHBVOygKH/xZ0FMV2bRBKK0ydCSkGQgyatrItguB5+QsrtUBcbffkkaQ1a1zvhtjkeT+iTIBS2ALjmTYn3Wh8Wk0dStC/7sb1jDt1uwv X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: aa575a8c-0930-40e8-1db3-08d97218c557 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2021 16:01:36.7119 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: NAhPEXIHEBqFLHyjSLKeuoVxPj29MnqKQSgiwnux3Dw6rcIjiAMMzKxjb0JD9bGBtqyjjsCeu0W0ckD4v2SnFRL3ufpvtj/h1/fi1WjyW3c= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5004 X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10099 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 adultscore=0 bulkscore=0 suspectscore=0 spamscore=0 malwarescore=0 mlxscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2108310000 definitions=main-2109070105 X-Proofpoint-ORIG-GUID: h3UTPDhcE32uAirPM5iiAAgSiiXH4br9 X-Proofpoint-GUID: h3UTPDhcE32uAirPM5iiAAgSiiXH4br9 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Currently both Secure Boot DB and Machine Owner Keys (MOK) go through the same keyring handler (get_handler_for_db). With the addition of the new machine keyring, the end-user may choose to trust MOK keys. Introduce a new keyring handler specific for MOK keys. If MOK keys are trusted by the end-user, use the new keyring handler instead. Signed-off-by: Eric Snowberg --- v1: Initial version v3: Only change the keyring handler if the secondary is enabled v4: Removed trust_moklist check v5: Rename to machine keyring --- .../integrity/platform_certs/keyring_handler.c | 17 ++++++++++++++++- .../integrity/platform_certs/keyring_handler.h | 5 +++++ security/integrity/platform_certs/load_uefi.c | 4 ++-- 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 5604bd57c990..445d413aec74 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -66,7 +66,7 @@ static __init void uefi_revocation_list_x509(const char *source, /* * Return the appropriate handler for particular signature list types found in - * the UEFI db and MokListRT tables. + * the UEFI db tables. */ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) { @@ -75,6 +75,21 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) return 0; } +/* + * Return the appropriate handler for particular signature list types found in + * the MokListRT tables. + */ +__init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) +{ + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { + if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING)) + return add_to_machine_keyring; + else + return add_to_platform_keyring; + } + return 0; +} + /* * Return the appropriate handler for particular signature list types found in * the UEFI dbx and MokListXRT tables. diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h index 2462bfa08fe3..284558f30411 100644 --- a/security/integrity/platform_certs/keyring_handler.h +++ b/security/integrity/platform_certs/keyring_handler.h @@ -24,6 +24,11 @@ void blacklist_binary(const char *source, const void *data, size_t len); */ efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type); +/* + * Return the handler for particular signature list types found in the mok. + */ +efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type); + /* * Return the handler for particular signature list types found in the dbx. */ diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index f290f78c3f30..c1bfd1cd7cc3 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -94,7 +94,7 @@ static int __init load_moklist_certs(void) rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)", mokvar_entry->data, mokvar_entry->data_size, - get_handler_for_db); + get_handler_for_mok); /* All done if that worked. */ if (!rc) return rc; @@ -109,7 +109,7 @@ static int __init load_moklist_certs(void) mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); if (mok) { rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); + mok, moksize, get_handler_for_mok); kfree(mok); if (rc) pr_err("Couldn't parse MokListRT signatures: %d\n", rc); From patchwork Tue Sep 7 16:01:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12479081 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 29736C43217 for ; Tue, 7 Sep 2021 16:02:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1135461106 for ; Tue, 7 Sep 2021 16:02:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343813AbhIGQDk (ORCPT ); Tue, 7 Sep 2021 12:03:40 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:6414 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242334AbhIGQDc (ORCPT ); Tue, 7 Sep 2021 12:03:32 -0400 Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 187EdjnD020764; Tue, 7 Sep 2021 16:01:47 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=TagJP8q4B4xHN6BaPYBQ54aG+H/V8owz3wMaKpjQkUY=; b=KhhidOpS2AVx+qNq25rX+O+XbMV3MydFzWU5pJLZ9LjeJr/rvXvW7x+ihHI+xZquDWmZ /Mtxv217zRBzjwNFyk4Ne7om+EK2Y+/g4EkclipN5VHpiH/4GRr2Q3AoZiXZJ7mVd+Rq qARYSUTspvsH8M9Ex1V4rfWYiZOmCY89zss67Z8ewdNqKWTc2S+pcQ8J0PpAQvtdzon9 YxGj85wijzM5vop/zVBpNgnovzMgRyPHuD6GtNo3skFUujM9i3LgcagB2fFe3GFHTKl6 C7jjilY5ErYNfkTN3eYYgUECa3h94g1dUOXfqvq1Ddn+PNeZv50Rdc7xB3pmNrKX3ANY TA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=TagJP8q4B4xHN6BaPYBQ54aG+H/V8owz3wMaKpjQkUY=; b=JbfFNPTS5of9/RWgK5KTneP2ft84LgC33aULvpzPadmdaztQSceU6NdlznT9Xz/MWsC9 plnSR11GD515440eSPTIj52Y45NgyKM9O+1+SzdNXCu75TuzEhvexoS7pmPkDGFyG0dn nm0ugsMudHL+tFWAqTRj8q1KSZ37iV/fU11EaVT/4wsJovgOuVQz+qYrLvwz5phpmNZH rsOzodxnJgNmhQaYcCpMYCrnjavdxgVQQ0Fu6VQjDtCkgorxGNRuGGEFgbllY4arrzYT 1GYSCW6jYCQvOaVCPgu8y2UPVV0OSNQ+XRO3K5kFKK0tXCLIT6phpHZ4mypUgejSm8YL 7Q== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 3awpvnagxw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:46 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 187G0G3D134760; Tue, 7 Sep 2021 16:01:41 GMT Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2174.outbound.protection.outlook.com [104.47.57.174]) by userp3020.oracle.com with ESMTP id 3avqte3dcy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:41 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ah2SMYlhtTt8KwTuUfNSu1Uq5yVApOMwYJFAoTXpLnzHk3LRSld2Y+I11dy0YypWso73FgWMIN9HjnwSK/txRyNeuniZKAFJJe/B1e69Pe5Y9/lmCBWJGPlXqY7Axjt5sCUPLWYW/xSCjKyohK3sJNRDT90iwYAyZxjyYYHZbe2/8MyqyVKIRQqNQzouxvQLuJ64TOuRmhxZFT1XEZl7YmBCKN/OIdDZxynsJFJ5kJy1x5M5QDtaIZYfCrpxHJ5P5p+d6x0g57FjLWCjJJX//YnxRH43rt/SWj4skGoW5FQebrxU8s+PEAgTDqc4UlFAZalZZ/8meqsx3PoKdfYIaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=TagJP8q4B4xHN6BaPYBQ54aG+H/V8owz3wMaKpjQkUY=; b=dzCFz9eFKK2PjUZhiFKf5uPboFt2gvZyI2qwqS7n1E5MK6OwnZdMs/9xo3BKVgrLR8ZS5DO2Tgyc64CddB3ZA5aaaIbdl8sKnUS3qX05lMCxbUuPwoOQdgCeqxUshvetbdaOta8d+91W+p23AtpfHQXgolpzrhex8ku46fgYJi9pYnuQLpa5aKpKRzHtn6dmr6wMxctR7Yj4c7z0MTQkcBwvjPXVikX1g+e2skDiYpPyERp4OxTmCJJ/a/WjtqMFfPnbTzvhAQKUaeZuEOaSk+lPoPE9z73TEOzAC5Bau/T1zvnWJydc5L5zGkYRFO0yDIuqMvBls8ZhrjBI8FH+hw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TagJP8q4B4xHN6BaPYBQ54aG+H/V8owz3wMaKpjQkUY=; b=mKv76pgJs/MiZs/2IZnpFBio6H+Z1g92Hvna05bpTZ6Tq8BleDMIPoDDOcCkeGxGjC+txbbKkQPSx9vfylWYPPPn376MGMBKJisLSWyO4JgJSOcJLYLCcTIUv1XMXwd5bjYA/TA0mxRhYVdEszo/MMNVJZgFuFGrC+eOASI7V2s= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5004.namprd10.prod.outlook.com (2603:10b6:610:de::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Tue, 7 Sep 2021 16:01:39 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7%8]) with mapi id 15.20.4478.025; Tue, 7 Sep 2021 16:01:39 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v5 06/12] KEYS: add a reference to machine keyring Date: Tue, 7 Sep 2021 12:01:04 -0400 Message-Id: <20210907160110.2699645-7-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210907160110.2699645-1-eric.snowberg@oracle.com> References: <20210907160110.2699645-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 Received: from localhost.us.oracle.com (148.87.23.13) by BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.4 via Frontend Transport; Tue, 7 Sep 2021 16:01:37 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 5f05f752-19e7-481f-5539-08d97218c707 X-MS-TrafficTypeDiagnostic: CH0PR10MB5004: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4303; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: b0DzVL0BMmQbcezLerXTAB1UhWcbxZEj7rdIX0WNE/f8tpV/fPFFMCAc8ekcH8Rfkt5dYuu5ITy9ddPdZ5EzuWXjdfGnilnlrSvNKfv0VPEqP00s+DA591V2NUzy/+bo1jHEJ0YCBTwO4BUllOXrIvdL+UiW9UgoYJz8DRZfU0VcpJmCT8B3L8WG/DJ2FyJj5e0SYU28EA/cDoI1AD/5346ja/DNNOxE/7DGWQbZUFAXZhudjaMNxgTe1zYfJBHIhO4Y4PQ3Ahqfx3iXFS35q0fGKPmGH0Hqvn4mGi7mt3BXxT2eq9iBBNYFHyL3lxi2SCjIBQ+hpxsmghMuu6UoWuxXHMHZWfiT1D5a749QKUXvs7nq5OaXTxEjG7cNZJhJlaknHbaM7MrSyjcgbTYIyvPfezY/squOOfz1UHBkTXIZzUfGE+QXttXVCFSuHGUp1ydbZsPLQ35djA25k6L4ZxKK5Cw8zFZjdeZMYO92yhAfXVHsP7NPRzUcLgtJAb9kHFZCXCMFRe5S8cytAfE8uCOG3m6jc2VDuYEj8YlD2lSQl/z1GbYIYb2zGqP594yXV4RT7gd4QQpsI07FNyhNkeJMgQujMYHzirGJBck04wx2I3N2bGCcXpEJEM2H5KooISS/5hc5Epk0RnjiaK+CGGxTpO99kyrGL2nf/SxWt0NLQmEK0fDCnbR6J+FTHg4NU4g/6YTjslMwS2Zfmc66UcaCOHMg2rpbbqoTgPXIMEc= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(6486002)(1076003)(66556008)(66946007)(508600001)(66476007)(8676002)(921005)(8936002)(44832011)(5660300002)(186003)(26005)(52116002)(4326008)(7416002)(83380400001)(107886003)(7696005)(36756003)(86362001)(316002)(2906002)(956004)(2616005)(6666004)(38350700002)(38100700002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: axoAiYdJ6EqPU6YgqMmYvEQm8pVX1L7ksKgCmchguLllEiF3a8jJBmDyEK0KI58JrXH4+IHUl2QLibScMfP1PQsoYD3T4LXr+xyU0gEUKndzWmXoVzvp5ZrmhQqpv3DxBpQHfd3YF6f0FJudJZTsK0giKQNd9y2imGD1wu4fIO/fyX7+0qgMOVDz2L2CMWEiDfou//i6kqP0GPWSotSAK5JdAJ60ZNkTL5SliVJni32NkD2U505KNFCA6Q5O8xQB7ZcbnKwmNKS3SBtldPi6znogwwxnzgLa6XkUIs2ZvQ4l42j15zvcYyy5qeM4d1mq9IpfkOebIiJntelmZjTDEDKb58H26LLi21j/tjiN/9kAn6YGAQQRXjKthsVc+W1EfgtW2wn8m7+dAWqPr/4qK3+jI8QsDp2+U5Cv8p/dBYUHpN8d7KPFZBGXHsfcNO9nfwvD17hKdK/Uf1kpKzEJwMGTBqd63HaRd8e0UqItfUUSgM6a0WgBsHrNiQT4ZOodfdGpHTtgKo05roOD2LsawVM9+44Y+kpVykB1TOPX1VD7aIPwq/inZYlMDYq9WjWgk1QMeBIy3d8H7g2wb/uIddHV116cUd8kL8gSVaiKjukoIr92svlUwp7LoIdS+wAdxwJiBk1w8MuwC6caweKQA8vFWp75OdlOoGAB+L99Aa07y5+7O7l200Kn2A7x6RAzLk1S/nZMHIboXZIalVZFpSbx1m+Vc4xcO59RVSw5Ywd4pFnlpYJ7/2ci3if7krvH/QyMPcqzjVpxaBshVGQWcogkS/s8+lxpCxp0cdnp9z2XjFiwb2WTx/lTv52kNoha+UWqq4MT2gqZmY4MJSdb8KerA9K1X1RBt3I8I58TThZIdsy68irji+HAnPYAnG01CgSuVanX575ycFWgdDEO008ReKWQtu0NaE/idjepDNXo/WSAACX2SLE6i3KtUsKKjDZ5dnN7BelV+JkgynefCm/6j5cVNXxk2qxZQtJUZ8Dp2vXce1e1nV02gTal5X5I1Onoy3YpdYSnPlxjaMJMXu1Ro6iblqoqH/Z0dfvOrKbw/tXWk+yDG4vXpFS7+WUq/7zGle3b966PvZuvxYJU/yameqjgKy3RUS110ujarXJ4+0PwgxE9ShTC02NgeGMLfIWV9lwAHY1aWJxV1HUiOXf2jJupKZbMqsr4R9QtZ4wH1VFjv/7eBvljDggo5VK3WgT4DdpvB3ROM0hJOiOUpiuIkRYthyySjJfGc2cBEa+lP8RADQWDQOT2DB5+jGls0i9dKwy7wNKTS3IfMQsz3XvYNjwGw0hYaiikQMGApevQY/5JQ/6LiqOysE3JkH+U X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5f05f752-19e7-481f-5539-08d97218c707 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2021 16:01:39.5007 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: /ARFhON8NnszfeDUtwUPu0qzSbZ0aD2UQ24hiNpL6gUw990J0JhzTIpl5U5LmvFLA/jRz6TWBft5S5JEJa1Fs6oHJ6lasT/76D2gFjOwhIE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5004 X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10099 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 adultscore=0 bulkscore=0 suspectscore=0 spamscore=0 malwarescore=0 mlxscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2108310000 definitions=main-2109070105 X-Proofpoint-ORIG-GUID: A2D3X4v3p0vz9Yw4rJ8GhhqHhZEXXBJr X-Proofpoint-GUID: A2D3X4v3p0vz9Yw4rJ8GhhqHhZEXXBJr Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Expose the .machine keyring created in integrity code by adding a reference. This makes the machine keyring accessible for keyring restrictions in the future. Signed-off-by: Eric Snowberg --- v2: Initial version v3: set_mok_trusted_keys only available when secondary is enabled v4: Moved code under CONFIG_INTEGRITY_MOK_KEYRING v5: Rename to machine keyring --- certs/system_keyring.c | 9 +++++++++ include/keys/system_keyring.h | 8 ++++++++ 2 files changed, 17 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 692365dee2bd..08ea542c8096 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -22,6 +22,9 @@ static struct key *builtin_trusted_keys; #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING static struct key *secondary_trusted_keys; #endif +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +static struct key *machine_trusted_keys; +#endif #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING static struct key *platform_trusted_keys; #endif @@ -91,6 +94,12 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void return restriction; } #endif +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +void __init set_machine_trusted_keys(struct key *keyring) +{ + machine_trusted_keys = keyring; +} +#endif /* * Create the trusted keyrings diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 6acd3cf13a18..98c9b10cdc17 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -38,6 +38,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #endif +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +extern void __init set_machine_trusted_keys(struct key *keyring); +#else +static inline void __init set_machine_trusted_keys(struct key *keyring) +{ +} +#endif + extern struct pkcs7_message *pkcs7; #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING extern int mark_hash_blacklisted(const char *hash); From patchwork Tue Sep 7 16:01:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12479065 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9D607C43219 for ; Tue, 7 Sep 2021 16:02:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 84B5B60F01 for ; Tue, 7 Sep 2021 16:02:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234430AbhIGQDX (ORCPT ); Tue, 7 Sep 2021 12:03:23 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:40720 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234102AbhIGQDV (ORCPT ); Tue, 7 Sep 2021 12:03:21 -0400 Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 187EfWEt026869; Tue, 7 Sep 2021 16:01:52 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=bIS+ZsQcDbm18vUWg6MnbErxHbzJu23cwjgvnTlJmNs=; b=kQZko1HSqjVgpRIEI971jp9kIa0Hz6AXulfBj1k34g68WjgQIAnY4DFufWXl/nKkeoGt RADl+s90ifxSzyZ2caG5Y9iQc2u07xJGCE7jgcVAFv7ofBARYeddZaUaGNRxKlSxFRhd 16RNX0jPhIY0I1txo0r0dJYfekNohrQL+730Zu8EVwQv/h9VMa0E2LqhSF5Pkqtm3h9c 2ltEZfadJckjTftCoGG0snS+UDXxPeDdNyg/uWUbb6nJIUrcI2mEMz1jp4vUDj/rEHZ5 F8wKCWaFjtbdLK60hspuB/905gUb9gtI0IYP7Lrwjv/prEp7HIxpApNa55G2YDAbWJlt cw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=bIS+ZsQcDbm18vUWg6MnbErxHbzJu23cwjgvnTlJmNs=; b=q9aXjfpLizwvOodplSfcsgdzYiOBfg90i/KxJ/YEEjpR7iuFGJg27ai/mv2qULzIeMab HafcEB00HBE9zD5GF4gcYnNxZ3/YxqjuOWVedD0wnx/qRiiAApcV7FsuBunqQJQgiCn+ 8n1qmQGHjG+1Ih8VyYceuSpnP40oLwwXb/S+8Icj9uX18QaBL4BpVw2BbtpB5F6cd1n0 yLtIAgQfKXu70IuEqIvpGwRv+NbPZhodQGWYdd6Nilk9B8XOv/kuXNEv8J266VdQr2b7 MEldU5FDVAxzaUwoqg306sgBkNp5G2wjB3drPOqQR/XIIPYxtvs2CCbyiKfUHMo8OzSe aQ== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by mx0b-00069f02.pphosted.com with ESMTP id 3awq29jg7x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:51 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 187G03S9185879; Tue, 7 Sep 2021 16:01:44 GMT Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2176.outbound.protection.outlook.com [104.47.57.176]) by aserp3020.oracle.com with ESMTP id 3av0m4t4vv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:44 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fy7cd5aV6Z8P7yqKnJbm1so+CEJsFN1bcBzxizj8fifrQPx4NlaRoYGhOxm6jZmRGAK3xTvn3MDrLgofEB9sDwKiGtPL95+yLStfUyJLgDTf+3RNsEDD//yYlDKE17vo4K/bFv8I29b03GnqaN4F4Uq5HVklZTDK2j4l6MOBBC32w/ncrTbFhl/PaGLEd3pvx3R4EKHSg+KVVNllbSXciqTdMRerTDZyy+AXNY3J6OXhrC9HPNXvBkU23mZb00Zc3aoD7GDoJIRsgCQSKaS0sqlkf6WO5WEdSju0oqFlp9ICjA1tzFQfnPWu+Rveehu5VbsQSFIAUH7nOZRCjGegGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=bIS+ZsQcDbm18vUWg6MnbErxHbzJu23cwjgvnTlJmNs=; b=EKT0//IgNsKMTnrVYe9hOQcE8rF2kQZt3Z55auvGLURtGBCk0v622Z2ypejbqSCr18oQBU5PaCvyZkPZOW29LlgtxiiYBW7yUiCBr/u1cO4KK751YmmpRPrpowwFWe/H//Zl6yl1yywohfSnTfHF+6zTOK+zAIG5PfM90cahlLXIV3nndyQoXdG7bQN1w1o/EVdL5j3UOb14qClGNt7UAehqW/ZD/HNFaNtJQUD/ILy+L9f27tbS6Ah9f20DKnU7kWfc3AN5foC7MB5k4TR+GcljDxRmI1SdIoC7gVvrRWuNEbMYQbggF2R0EG86idBZyrujrRvS8lcq6rVqmX07FA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bIS+ZsQcDbm18vUWg6MnbErxHbzJu23cwjgvnTlJmNs=; b=tSBkagkwvtLrAA+KTsK5n7P0dOp4J1irQce+azD8HuCfH8VchODtVqa3F8ai1YIpgAv6d6OwK5FQki/6IV5D/d295+ySj1mPOtBuk9hRtMfuzw7vlAeyyO1OVR3TOhnqFFUxC/cA7lNFbAKjqTJ/ynfcDBOF7lYI5MF8DbDL+ik= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5004.namprd10.prod.outlook.com (2603:10b6:610:de::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Tue, 7 Sep 2021 16:01:41 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7%8]) with mapi id 15.20.4478.025; Tue, 7 Sep 2021 16:01:41 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v5 07/12] KEYS: Introduce link restriction to include builtin, secondary and machine keys Date: Tue, 7 Sep 2021 12:01:05 -0400 Message-Id: <20210907160110.2699645-8-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210907160110.2699645-1-eric.snowberg@oracle.com> References: <20210907160110.2699645-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 Received: from localhost.us.oracle.com (148.87.23.13) by BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.4 via Frontend Transport; Tue, 7 Sep 2021 16:01:39 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 366f831a-4162-4cc7-78d3-08d97218c856 X-MS-TrafficTypeDiagnostic: CH0PR10MB5004: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: u4sXelSBX0KGwt0QrYlTmNzB/aItMfFcAuxy5LgUGpv6JQQv71Cd7Ti8ddcWn55LaPT3Jf+5rpe9RytMwg+IKv98H+FEK+d3HMim4OULx4jBOE9gtbo7+sX/RUmoCbPckl3Us9wgNMHCjKdCdXIqYfDzVpDdhxY4htOI2M/T0uaosRhFB/BiEIBOZ1Sslc/+cI5A+XTPdh+K4ryCfGp0vmDtfXQ0dQrB4HbjuOxqa92Msnvb3ewDW1MEwig9UQbRg6n41XDj3+fp1W1x/Cv28HYJ923ggG5qWVAbw4mzD9epA3e6VVLm3xgS3SE8f7tEPvfO5k6nK6TvWziFfR2FFS1FOBldxF9d5I8rAosD9Bh+6m9jyu8Vzol6AhsAhB1VAfaJt/68fflslLdMfJ5+ZCW5XoHAbzfFp2cXJIu52MsICNbl8pjbGzmYo9gs4o6K7BaR8Km1O+sIBckHTveuz/UG1LWD/uqhVfjYDZyIDCoW3pKT+/tgt8UZfZbsdbO6ZWAseoZL1xVSphd5s0ZS09LwUje8CLlgZAU6cGpBr5Rhgv8VYEak7ZjbllpuDCbhZyGT3d6u8S9/glJ6W/A6fKIiaXs9XgX2GpuyQoHlPyUQliwxD5FE+uX0e+RFZmO26VY1iFXMjSrS/lstJzDhvI2M9qpM2ZCrwzUSnCXBuU3w3KJ144ad1N+iIBiN2z3B9Gwir2azndvTxXy+vKO2kA+bnyk7GxR7GOar1jrx+hY= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(6486002)(1076003)(66556008)(66946007)(508600001)(66476007)(8676002)(921005)(8936002)(44832011)(5660300002)(186003)(26005)(52116002)(4326008)(7416002)(107886003)(7696005)(36756003)(86362001)(316002)(2906002)(956004)(2616005)(6666004)(38350700002)(38100700002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: KQgrfh73Dcjzat9uyZAz13N6kAyffk+/tVMn3dk7qqOjMTopaRearyofyU5PzaToRug/L6ge95iC3dJ4FCJJ1o3rNAz1ju3lcBxwzomfIMnN+pvqUTsXs88llARotX95syHC5J73XSUmZ78MQtyrXFm8JEYMymfFTnT0j54JZOUVaPvpytw4lTsAMYKsKfDjFolnopYaXpwUey/9OyueYa/woiqXVcEYkhph0rG6PYreW1BdL0jPY7zZYOaiYnHQEezAVKxKIfR975mFJqDLsxlfqRyB02FrmIQMaMlenpkbEjc2YVzarn0vlndBbc7ezeUKtZt6weiqhMQBG9g6blc2DP9WaR20VPMbsKCRq1ZzL9QZWJ74HMfbaBdciV1pWpqwqrEzmDo9PJHxG0Yqo0iWB48HAM0fL2sE0a4n5DQG4GVuUKcR/M/r3qpLQK81gicF97NoQQRcDM4NFc5VUxRmF1Om/vdO3eExXaduOGzuqlfxIGaDELCm+QJFpU6v2aI+qN1HvBUMOILEv5OCijLriDMeNtamlehwLQyieTLc75m9ReQjEoJffuANP7iHDgAf4S8MVF2+AsEhDD31HjaFTt6KDVH+wMmyuEOQId4Aw+/1i+Pq/7mA0ncyUQhUk1nFT60vOPNXDYzDd5KBH7zo09B7k8k5BaoSSDYhgKMYO3Q+VDq+rWs8I6FZdDZ6Yu420fYIZ28C0yY5oJ10omKQg3hPa6Sax1yvnMkbh1RumblNsAnIs9WW3x/sf3LhZc9Hj7CwiXf26HDtMrlo7F6RC3lxWlLMg355CAASTNd/AvNgLJc5d4fsXCHmHosA5FvZKpyf3q37C4Y1daaybfUDFRChdQJETqUeiAMbBVDJTpwemoczZ2Y3t0zXDjJVPEjlC2I1XgqGG+/WdRcnaN/Yn/fY/u296B2G0RZ4lj1tzcLsNtenYKnpo8i5VOIAHelJspKF4391rXM9Ph5ViwBkBuzj8jZ1z6MIosFnY9L0Qzd+abI/uHti5VngGdhGqRFd5wbj9NkshfS3vr9t3WpSN0sJUvTjNkKjT2Nn0uh6XRobhwc1nSRGEuqQ7oOc1T1rdho9q06wbwLI7VjFO3r9JC0YQUJpfWR/n60mXEa50PrB7SzHhKovbb6/rLGR3564QzZDWzZ97H85EG71HXvR6yMWFT0Xty32tp84OeY+eWZWtf6Rk3itwJc7iqp4bgBqanvcgvrA4gEUYytCWHSFBl7b148zjkB+kDENZPad+Vd9IrVE1Eo/cZVGPhrNz/nFBFKChJcHQjxH52iY6B1RwZ9Yt9ZDSyt69B167yaEAoBCKMaegE4asUwaRSSb X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 366f831a-4162-4cc7-78d3-08d97218c856 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2021 16:01:41.7976 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: c0vlJApVJOFoZlpwsOJpA6+ZDFLq2QKonjhtz8Ik2++oXd0i3h6kjTWklLX3zSzaA/e/oOvMLCnO0f/f/mESX94d4AxeA0TsnFfGtT823wI= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5004 X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10099 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 adultscore=0 phishscore=0 bulkscore=0 suspectscore=0 spamscore=0 mlxscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2108310000 definitions=main-2109070105 X-Proofpoint-ORIG-GUID: h3uXkCcX8QQwPnEIfzmS5MhNfQ2xguj0 X-Proofpoint-GUID: h3uXkCcX8QQwPnEIfzmS5MhNfQ2xguj0 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Introduce a new link restriction that includes the trusted builtin, secondary and machine keys. The restriction is based on the key to be added being vouched for by a key in any of these three keyrings. Suggested-by: Mimi Zohar Signed-off-by: Eric Snowberg --- v3: Initial version v4: moved code under CONFIG_INTEGRITY_MOK_KEYRING v5: Rename to machine keyring --- certs/system_keyring.c | 23 +++++++++++++++++++++++ include/keys/system_keyring.h | 6 ++++++ 2 files changed, 29 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 08ea542c8096..955bd57815f4 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -99,6 +99,29 @@ void __init set_machine_trusted_keys(struct key *keyring) { machine_trusted_keys = keyring; } + +/** + * restrict_link_by_builtin_secondary_and_ca_trusted + * + * Restrict the addition of keys into a keyring based on the key-to-be-added + * being vouched for by a key in either the built-in, the secondary, or + * the machine keyrings. + */ +int restrict_link_by_builtin_secondary_and_ca_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key) +{ + if (machine_trusted_keys && type == &key_type_keyring && + dest_keyring == secondary_trusted_keys && + payload == &machine_trusted_keys->payload) + /* Allow the machine keyring to be added to the secondary */ + return 0; + + return restrict_link_by_builtin_and_secondary_trusted(dest_keyring, type, + payload, restrict_key); +} #endif /* diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 98c9b10cdc17..fe4be10e66ef 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -39,8 +39,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +extern int restrict_link_by_builtin_secondary_and_ca_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key); extern void __init set_machine_trusted_keys(struct key *keyring); #else +#define restrict_link_by_builtin_secondary_and_ca_trusted restrict_link_by_builtin_trusted static inline void __init set_machine_trusted_keys(struct key *keyring) { } From patchwork Tue Sep 7 16:01:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12479075 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A1D84C43217 for ; Tue, 7 Sep 2021 16:02:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8CAA16115C for ; Tue, 7 Sep 2021 16:02:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245589AbhIGQDh (ORCPT ); Tue, 7 Sep 2021 12:03:37 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:57922 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234331AbhIGQD1 (ORCPT ); Tue, 7 Sep 2021 12:03:27 -0400 Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 187Ed19P026809; Tue, 7 Sep 2021 16:01:54 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=GMTlFF5w4nL529MxPunFlIVGqlzK1TEOovl35Sayv3o=; b=N+6pZUew49DDZ8hrjbSzS9xs6nxoLtNsUGgW7v24bpfCfsfoXgpP6EKB/PpjOrR+teXh Ht0vHZgluwcVyGzyc/ebp1iti8RJshtTzDomptLeFKDeETZrfxxEV9RwTkeecXFIVIMt cpwA/l8iGjGieRuQ0KSKpYnOuJsk4WjXByThsuSk3wTaqpiuIxZX5S4GM1AMpvYGysnd tRFRRiwkqO7u7Vr8POeUOIpCRzw6Xkj+jjGerQthqP1yWpBWIAJvKydmxXMUoPs5v8lw T4mBxos9cvIDFvVaIQoejeA1mqyNWtP5YlvizxKWpqCP05n3Cv8XW4ovTc97Sni0qLr0 2w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=GMTlFF5w4nL529MxPunFlIVGqlzK1TEOovl35Sayv3o=; b=LvXv89fJphzXENUtYKDXQMY/F+tSo+DPiN0AOe20Cq58q+SqXlkwqNkmT5QngDT+7OWB RwfN/wOUFxHQkP8Bx0yt/Cv73rIXidJ7yNvqUl/VbSGqbO17RXCn9ScRfAbnYuzy/8Mj 1WfYKXcbOTVXv9sDbt5Mhn5VWu5Z/dGYZzPP2EsczbVp3jSzMh2TEAbhP8uHnVmOMmVA H2H7Yb6S9Ht89WkU35IDCC6AZIUc/rKWl82h1bV4hHibVHm6GxqOdEnarzeewo7zYFUt RXFE+58rSSsvf76pyj7F4eVGzredkHT5fwfP044A/wWEjlzQ4oQRsEl4r9TjQ+tfmTtU 5w== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by mx0b-00069f02.pphosted.com with ESMTP id 3awq29jga5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:52 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 187G01dV185488; Tue, 7 Sep 2021 16:01:48 GMT Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2172.outbound.protection.outlook.com [104.47.57.172]) by aserp3020.oracle.com with ESMTP id 3av0m4t516-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:47 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C6L1j0xzSWIxTBdi+uzdiWIFjbQITqAiksczM5h/HMsm9I96Bm4gEQNhBhdjtzxFXnVXAxoGZSWc0f/x+UX9IQUN/xnSCp9L1NmBJ9Mw59iBfQyt9EYpN0krrgl2GAVcd4YVIaAJH996P6jEaRihgKA5IanV18R+qkQOleV7laWiY/WHa8sqNz7crSRV4K1z+YTK7F/ykI5r7lfTEglhUpYW8pvrLSpNEtdaQAqwYmcQfEMHPZrnWgTiDD+uPGQRZugYQpBfqj45nF6xRqvNXeGvajo6JTMi8W6YE5j/1N7cyrRrP9MMHaLbKZAvpONn77bJ+gwUWHhtuJtA01me8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=GMTlFF5w4nL529MxPunFlIVGqlzK1TEOovl35Sayv3o=; b=GEa2eJjklnopNx73dL0ko5HvGb+RygXP9dpvnbyCt0b6hulF8fIT/m0o46+PKsZVQutMwha4/aDHC3yIsLUoGFO9P2CEauXQUwzl2o3N2zaRiwwzWgwJcokURUPDENdXxiDVzoECfWJIwbnHOhsOtvCtLkIYfcdbdqOXB+5M7m0oEbT09/9wXKx/zwIFd+9FmjwakkrqHM4L232phP5xlcvHtkwBronv3RNwxUIJKYhc9naXH1u6hrDpqAdGT67P1tmwNs7ptBtwzdPiSHLfh70uP7qrnX4XZRGXvo3o+cPbFWYbHDeUcDRbS6+GW0lFV24uKO9SO5Ijynr4YzG0Qw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GMTlFF5w4nL529MxPunFlIVGqlzK1TEOovl35Sayv3o=; b=whert0k2ry5dU3I7oXfD+/L0ZgOP7CWDTTQmgSAvBWBA/PxM7bgQdISVRZIV6iiGaCX6Ap6u7XXC0ZfMJxBfq6DkBiZ8QUR5kIPWTW8Z8sl2GFMeXstDAAXdtUi9dS0NK3A6shB3UdVXrT6l3eO6Ix0u1UVMUTMnJgC/17nsa20= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5004.namprd10.prod.outlook.com (2603:10b6:610:de::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Tue, 7 Sep 2021 16:01:44 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7%8]) with mapi id 15.20.4478.025; Tue, 7 Sep 2021 16:01:44 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v5 08/12] KEYS: integrity: change link restriction to trust the machine keyring Date: Tue, 7 Sep 2021 12:01:06 -0400 Message-Id: <20210907160110.2699645-9-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210907160110.2699645-1-eric.snowberg@oracle.com> References: <20210907160110.2699645-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 Received: from localhost.us.oracle.com (148.87.23.13) by BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.4 via Frontend Transport; Tue, 7 Sep 2021 16:01:42 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 848ffc9c-3b19-4f02-62cc-08d97218c9b7 X-MS-TrafficTypeDiagnostic: CH0PR10MB5004: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1468; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: HFri2EOaxo2piaL0tFACUBMiR/Rgq0t9mbSdA9ecv/IPY3Y1WmTLEJyKDcwyFwFLdZ2jR2GkRPP8Ts2fPGa1MVfSPUo3noSpGSwjxivISxSklAhSO57yaLdiSYt1TfabvVssEzJV16NzRuuW7fIsG6PX+Q6SMrmT5Q9LLBbcD+ZJEwDOVaTN1dON3ZHY5eY69wr19RKro8yrHQ4eqwniurhjVxQRRcfuiZF8uIkzln3fpnfpFlHe+aO14hw6wwq98ae5jWMDXXcSvtArehyNMS8Ae5gsyPGYepLUAoYKDuzvBm+hTegQSaJP4FkJUu6SVgabFHpm3msBbaV6VFNlp0m/8Nq8HeKJrO6IIrnVb6FNld4j82w5CTY5Gn3phUuQnD6RvR5phpaLM+7+ciwtSR4uO7KdlJKazX8k2RHtobHDhGHl2Uz0wUOvIQSeLByzLiM8SazDq2TOdtPLvJ+srtNU95/C4sNcTOsPGIYFK6LOaWMr3iua3kCbfKTnA1JZT8duVQEo32c3hkXb+OD5AP2jI+GfYmxEtUGM2ZA5Sscx/zljO1Soj+gnW/y2ZHA2YyifCJgm4xCN912eTAxMB6i0yEMJqRzK+TiuFzxbJmNiIh9tdJY1/32q39VSqH0jRl6eLAJYMwtWUMTZ4XaHyA9dNHC1+zzizx1OnxI+bzpNNWk9dOiN6q0pUnSLHvr/U4hNdUDxD+6OA6L9Ff/7HaYfBlX1nqr538vH0ZJfAZo= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(6486002)(1076003)(66556008)(66946007)(508600001)(66476007)(8676002)(921005)(8936002)(44832011)(5660300002)(186003)(26005)(52116002)(4326008)(7416002)(83380400001)(107886003)(7696005)(36756003)(86362001)(316002)(2906002)(956004)(2616005)(6666004)(38350700002)(38100700002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: +eMNo6wJDesseUQmKCBklUbqAI2CQC+tIfU8SFG+o2LpHH5uQMZJS9fRiaJX5X+KgjdL0nCOS1YvGjK5PXvJ+885MErJAfj6ohw0EiWpnXXjqjHKceHKV9jyUx3iJ0TuCrXZSSb6O9/EiZ0pmcdrfa77ZSVwRFkURl3SXST/UQmd0QrYCu8c/+lFI9QfGRY1haWC8evNOFfxjzyYVMHywKkLO2mNLcaFt2VZaM77lMzj3zAeLCl/Aq0F3uYpwssDfyHD0e7sqj/L+vkFu3tqgEYabaoCpDwTEEJZdQU2rcbCBdoGg5QWH8sBxRrOFDktAy4VSYk9kJUIZEDuyZAiZJBvnN1F+FLZfJZJYnXxeYJgLTZEMJtCk1XmjHeCOhnRsWz+uk+YEaxpFmuM4P60tOoLCViNMe7R/prES4fwwgS4L73tMKBNaBtSoVRo0VCJ1RxyFAloDJQcLxldfUWh5n8xR4mrfE4vDQJs7MEKnWyDN3e5nx8DNUdt2bE4YXfBSrhfctUW4Fgldzb+hOTI6o0raRXceaeOapHUB4sfrHGoAxpgob5jaPVH8c//a+RlKqI3Q69ERnPG6I2w/kBdht9/iCQ2Abi7fVNCOapWqYtwrZljDA7gIF0d7SXLmcTdALM3kWohm4imrHvigITQCv2qKgMJPikIhon49TvY89xvpaKQZw9Dtqk3/zwrSPM0yGHmQTSZpombiPiOSyCdYXqP2onVuw/Ku7PChc3mWpg4DTLku0fFI4oyvgK1BQK39m1YcGMjmx4VWEKCBsd6/xjR4/fJBLeVu2fMT2q2tt8j+w8dkcYibf0H5EvlKTsyOTS5S5D9je758swMg0aCO0xSS8LKugbieQfrVUiAhQcjHIbKZJEnLd+LUt/lHV1sEGYm5wZqGocpF9TcgwnspKFv1aDggEI5NjJrDsC+G0XKmSPb/yMLayugDJ1RT8oOzp5NniNC5yTU3nQkBDnAk3fBZT8J6Nu04KQR2rIt7LZhe2gjhq29weI4te3qr4hRfwZKcywfloUHvTuQj38ydpa89G4tPDniuJBSXZV4MvhC2sCsMIUzvR1E3RYHNEyhRyTHOf33Uqg4rpHx0WQibZ9P0eWeaVJa+lKahB5Va7DvV9/2vqacUBJK9CK5SYRZa7LX1rPyoC2T4dQHyKPh7394lpt2WNqzI67QTciYKpn8Zm2AWx9TvgJBPXV26RBawTtCtXizDlz+YWK74IpyB8yQAJe2zwJuUeBFENCPd9Jocp62QhYhZxzMqMRUZCKvwVBWzkz2sJip13bii5Yptuv9hFZw26Zz8dP5ulIvyrFonCDENXthTkI9HzJFZB88 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 848ffc9c-3b19-4f02-62cc-08d97218c9b7 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2021 16:01:44.7298 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: yoKeNJhn/vZb8mfj4gPXRCYLgVmoQFd5wvhGXHMiaDTwtBMhRQr0qrsZaYfTPrl/9uucg5oMzCIOthYG9Gp6PQ2dfHIAi0o/fz7TPDqEkxI= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5004 X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10099 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 adultscore=0 phishscore=0 bulkscore=0 suspectscore=0 spamscore=0 mlxscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2108310000 definitions=main-2109070105 X-Proofpoint-ORIG-GUID: 9n_klbiYELuQlYWBebarMyZlX05gysvy X-Proofpoint-GUID: 9n_klbiYELuQlYWBebarMyZlX05gysvy Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org With the introduction of the machine keyring, the end-user may choose to trust Machine Owner Keys (MOK) within the kernel. If they have chosen to trust them, the .machine keyring will contain these keys. If not, the machine keyring will always be empty. Update the restriction check to allow the secondary trusted keyring and ima keyring to also trust machine keys. Signed-off-by: Eric Snowberg --- v4: Initial version (consolidated two previous patches) v5: Rename to machine keyring --- certs/system_keyring.c | 5 ++++- security/integrity/digsig.c | 4 ++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 955bd57815f4..747f0c528fec 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -89,7 +89,10 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void if (!restriction) panic("Can't allocate secondary trusted keyring restriction\n"); - restriction->check = restrict_link_by_builtin_and_secondary_trusted; + if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING)) + restriction->check = restrict_link_by_builtin_secondary_and_ca_trusted; + else + restriction->check = restrict_link_by_builtin_and_secondary_trusted; return restriction; } diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 2b75bbbd9e0e..c3c1939be2f1 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -34,7 +34,11 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { }; #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +#define restrict_link_to_ima restrict_link_by_builtin_secondary_and_ca_trusted +#else #define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted +#endif #else #define restrict_link_to_ima restrict_link_by_builtin_trusted #endif From patchwork Tue Sep 7 16:01:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12479117 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 289E1C433F5 for ; Tue, 7 Sep 2021 16:10:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 01E0261108 for ; Tue, 7 Sep 2021 16:10:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234315AbhIGQME (ORCPT ); Tue, 7 Sep 2021 12:12:04 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:14634 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233796AbhIGQMD (ORCPT ); Tue, 7 Sep 2021 12:12:03 -0400 Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 187Ehc3u008782; Tue, 7 Sep 2021 16:10:13 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=zuYJJ3h4SNmSiecoh3cT9UPkaqWHHUU8rGUneAd0OyE=; b=GwC9PzuZKsNdkqQj++LFrMp+LxzGwrPCg+7qtnwcQQbP56qO9L3eh+YeE7t1caEGr0UB 2gPcnbocQNAeeZ+wCb9pGhmkXrrOz0eVdUa2Lz+CJz6vkJsjBSP3Yaf2ln8/xbvyE53r j1vIfjwCM0GT3rbtqyhOtbQWjun+idZWTlNlQeK2QZTXC5SUIrhDb8qSQBE95DULPOLG nqxJ+OfkDwOCfPEFDZyz3QIzUSX3bVPauBe6OKq20GDuNlOMFHnIGLZc+gjFSV8uqwHG uS0M5K/iO9iFo6DhBaOdQaZS5roRXGiutf9TDsMXdODBRVtJB8O+8BQI/6o0dySoohCB TQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=zuYJJ3h4SNmSiecoh3cT9UPkaqWHHUU8rGUneAd0OyE=; b=WjU8uWqkxVq5Wmv0ICfFvQbnN5E952yothwp0Rr8h9EwcilBNR1tPOPP4AR5mTL0KBFi +gFPAUnmM+DfkIcOnSARydAF7wbZvhjw31snvbZzAXeTp0ljQXl8sJ1YnkGjk9jNHRi7 PcN6VpkR8WaWtNHDgq2By7jCyxgucCKXP1E1RwlTcmJBLkPjie/Bw1DkdgVJ6hWT4J8g B+cd5Ca3vxq1BmtAIEtHdLY5bIWctdSwyRCyk2crFmAnYyT/vkIRSsj2BtOT0dT/M432 zEOzCzh58F8VHPaSbEwy6QIwCJXZBK/Xesx42O/Fvzxrue0O3JorstVsZACi8q+uhr36 Ow== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by mx0b-00069f02.pphosted.com with ESMTP id 3awpwktk1y-23 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:10:13 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 187G01dW185488; Tue, 7 Sep 2021 16:01:49 GMT Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2172.outbound.protection.outlook.com [104.47.57.172]) by aserp3020.oracle.com with ESMTP id 3av0m4t516-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:48 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RrC1JGLymM6BdVKexaegFTuauDvdIA+GpN3lVFQ8zpzMDSRMeoxZjkxAWzhlM//OdeWexoGz21lnBaxiI4+5LyzNLBeDILcaOTM7b3sDB8/VrvzCUbxUlHQitib5xbs1hGNKOUih/mGrBDttzoxiSey6PJtDZMz1ssKH/ldWG6hVeOWdBFjf8Knj24iUkR3c9tuxJIyOPZiHKb3weCd03e7VspRYoN2YT/iNh/ZlCGb5RXjjqqxqQ/KigrQexntwmgn9YrnKD6XS+hbI0aJB36d4NI2Oshvz68LqZYJx1C88+pOwdNJhP7C/E+49WhqDpdSUYxo3LU+sf8R/B49POA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=zuYJJ3h4SNmSiecoh3cT9UPkaqWHHUU8rGUneAd0OyE=; b=nPP5t8AUlAtPbvaqqnCMoC7lSeRqD9yLqdXlZuVnCjLrPIHJ5aadtHqVEgNaIXsa9qjNNmLEKckXHeU0BbWPWhSFQiuYuxlo8s6cgYLP2UmK3amCUtbyFzZiNlMQth+UMln87gAYJwOeS78VgbKRmMArZzfjoO1cUNpM3yw4SQKe6UF8Bmw3W8IUrFM45ilmqYB+rTGx+4GqcCP2Jp0tJP8RMdiCw05rrjvYMyx/A4ul+R5/JOa/uWLOpi0sCYN9Tq/pu4N1YoJa5MQLbFAxWHu4Nvi1TxSILGr77nxPq9DIonEMN/dcZPcFeH+7YXCtiqI9IGYvHBuautf7uxcWiw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zuYJJ3h4SNmSiecoh3cT9UPkaqWHHUU8rGUneAd0OyE=; b=k2xo1tfiGPa7VjlSockjixowXBMyxjqIc4Qeduv7Ns0HrJDHAylC56zlf3UZ4uN//s8kA/NXpbXXU1noVr409JSmM5Cob5d75yJcP5O+SscepNKP3vAodbNa32WRxOa7Cgb+33NYfyi8ZuDkCLoDF/Xia8AvG7foeFYu2EFF7I4= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5004.namprd10.prod.outlook.com (2603:10b6:610:de::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Tue, 7 Sep 2021 16:01:47 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7%8]) with mapi id 15.20.4478.025; Tue, 7 Sep 2021 16:01:47 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v5 09/12] KEYS: link secondary_trusted_keys to machine trusted keys Date: Tue, 7 Sep 2021 12:01:07 -0400 Message-Id: <20210907160110.2699645-10-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210907160110.2699645-1-eric.snowberg@oracle.com> References: <20210907160110.2699645-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 Received: from localhost.us.oracle.com (148.87.23.13) by BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.4 via Frontend Transport; Tue, 7 Sep 2021 16:01:45 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 4f41832a-8ed8-460d-ec07-08d97218cb78 X-MS-TrafficTypeDiagnostic: CH0PR10MB5004: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6108; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: lUfSAFQkvdPqXs4hZRNYBhswzgZBhqu4dj5CictKXKjcUCz12WpfKVpUg2r4SJqYgOd8sOiiF+yKa/bkiAt50cezgG+H+eT/BJtKhqrHdeKiqTPfp3kNNEPMoAaEmquKnLyChEqJJTlV9f2xOlsuOn3KFdNQS+XJL/6HftCTZds+QsusSEgWn2R/sBskO97kMsjI35WkAUN3vY3GbiXSJ77HmS+aKGLCyW6FJi6M+uwq2lp1JeebZFVE6oI/rBrGiLo80plbKsxM5s16EcLW9MYeOjvAvF/cS9gVUbdRgHLrSnFHopx3AfpJYb0su5vTye+I7NZgFhCu84pLCeXj/+NtKNLcUZlQeeV9ftjR8upYpSNi/fKAaCfMTdevMXj81Hzawq3IQYi48AiFkeLPJ+jDdP1pXh6mxa+CpLItjiryV7FbxdSdCatTv4Oo/1TwY56+ca4VfWJ2Uik19J0oyyABaZLEBSFVjh3MjwxKNm8h3UD6w8lPSDujX2suzThE2hkDUZ/gznUTGlmMnkKGtxakPKwVTOQCujoEkZVj1uDQCL/Q3hn0pn7AjfbQZ4iRd3Th85QmYy24CM87lkNtpg5kkh9LKbzJcdqCdjzfDoj+42gUDnSvyrXZmi0WpAPjAgzFNFJoQ1Kt1K985bYoL8y3jSyx19fWWIdpQTbTNO3h2RCijGxGm+jvM0UuIIxjTIy5GKf9zltNA9bKpUByer85sGXOr4fp4IM1mgfeue4= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(6486002)(1076003)(66556008)(66946007)(508600001)(66476007)(8676002)(921005)(8936002)(44832011)(5660300002)(186003)(26005)(52116002)(4326008)(7416002)(107886003)(7696005)(36756003)(86362001)(316002)(2906002)(4744005)(956004)(2616005)(6666004)(38350700002)(38100700002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: lGmA9Z0opthK4hy8CkwkoXZduFbc90uWFvQbipLJ1VIf3CyPK9+9vSEslW2fasvc1n0RCayW9R3Y/XcGZ/YfkQwIqq4J6AmP1cEooumZ27/aFP1WcKqxjlcDHn0W+zBoH0vP2cq0jq/O3nQ5WiSFJnzmyc2iC8GYnAa3lmZJ3HWy7kVz4575SRgHfw4WUsi6bRB1Mcozgkz8EBDe0RZ039K+mGhQ0fUIuPkxRn8NCjKAFh0QkO1Yz8ykjJfwDpP5F2HM5YLgYufXD2zdnIqu1Hy3qfBAEoFwCXAbT5JyPITzK/NXNJsW8NAggTbppHYX2GsjwrrLDBmemEoksn7aYKFVjPe/tx5v09R106yNW3HcA9bPFZLBtW7wGzLrhL21zVhcAwsrFw/sDRGefoyek95ofhoR9U7H3IyySTC5n5UpD62NO8TWAynQ3DeksUU4fsrK1lkIPwP1DpLVhTdnfWyMljjp3p+BK9KFvkOMQnSDb99kiDbrRFk2gKmuzdRTGWUqWruX/XBNKCliNNTSy2dhaCaHcaJO7qxNjs3/KAUz9sVf9Qmy16eppCFpC8/MQDR14qUmJazgGXrdwGF2/vAqY2KxC/aDtU5gJPjtIkwlEJk+zpZGiRHCoAmMrbbdLMEkzAlKA5rxDS+ex+v0BkYowy246V+bSJCWLbA9XnZ+U+0BIt/fk8yI+m6ksFOV5v261/bseGymJzv3DBmrveeuhAqkGtqFDVQ0nF3R70+Fgr8SeCCk271rJK6HSE1DUoulGbISu6ssI6BYpA1P5baMRkAz841b9WLw76IE7KndBJqGu2y+0s9x2ngwsbxmCe5vT0RHwlIdNRl5fnIwpVn5LN/6J/rO2Zf8a/2oddOhWfPiDISbdJM6p5V+nWyr7t7/Nu4nswyC77L6YXcdodWqyjl6csqaEGtbC7H5dXGscGtUICHcnaVKppLm6xyhyvptcKZ+brm1zKefCAd/oszFovQWc/bwXB1AvOj+4qHS39tmnmb71T3dlmG+xrT+YFh4AlnLotga5mykIv+PEHOuyrCW0g0TetX/3HKGyyyP0zodE1jE9v2rWMezVj+wguJIkVXwJr6Lq5i7b43NMnzn3vBEVVnTP2/xad0QO4gcv8wJ5aR8pn14wWabvdqrQ9WzXTgoXfXaIxtzmdnoVoMQFrpRX2AdSP0vq8fzEGw/6PWrwOpI6pUfYkgRgCobafLxBE0cP0BAwXJR7OfkHE2GGr2hk877MYEYLC17Qyy/7fQX2PyodE+WueprsRZ6jzSNZdxkp2lJqmyehUNdPG0xlRxU2Y8eZWXOX4UlgJ8CgaFRVbx5z1q1VF2uU/nG X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4f41832a-8ed8-460d-ec07-08d97218cb78 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2021 16:01:47.1641 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: RGfnIz1AE81H7VyRfjt/WYQ63+QdsrXfUJD+79Y3g6RgmwVddTbNf3yyJR3xn87MJsrCAXmVQ6zplfNhAv0F1sqXtwNouRgQNWEJbELYuY4= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5004 X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10099 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 adultscore=0 phishscore=0 bulkscore=0 suspectscore=0 spamscore=0 mlxscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2108310000 definitions=main-2109070105 X-Proofpoint-GUID: 5gR7kSyK0SIoGfvF_vhuI49WhdzhRNWQ X-Proofpoint-ORIG-GUID: 5gR7kSyK0SIoGfvF_vhuI49WhdzhRNWQ Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Allow the .machine keyring to be linked to the secondary_trusted_keys. After the link is created, keys contained in the .machine keyring will automatically be searched when searching secondary_trusted_keys. Signed-off-by: Eric Snowberg --- v3: Initial version v4: Unmodified from v3 v5: Rename to machine keyring --- certs/system_keyring.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 747f0c528fec..e414b80f2135 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -101,6 +101,9 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void void __init set_machine_trusted_keys(struct key *keyring) { machine_trusted_keys = keyring; + + if (key_link(secondary_trusted_keys, machine_trusted_keys) < 0) + panic("Can't link (machine) trusted keyrings\n"); } /** From patchwork Tue Sep 7 16:01:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12479073 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40957C433FE for ; Tue, 7 Sep 2021 16:02:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2A63D60F01 for ; Tue, 7 Sep 2021 16:02:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245162AbhIGQDg (ORCPT ); Tue, 7 Sep 2021 12:03:36 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:55408 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238278AbhIGQD0 (ORCPT ); Tue, 7 Sep 2021 12:03:26 -0400 Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 187EjdUM026789; Tue, 7 Sep 2021 16:01:59 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=4RRXq/xu9OMsd4uUgy91ELS6VFg3kMZpRpnjzSYmtDk=; b=cQyUhsNRaAu3p+BIQwPoii4aVolR61dt1nEHhRs5FxUS6CjsVYCdlcAVb/Wb/9NEeLco PJCZEyCJDg8ax67WtdULpVhkgVa67YU6J1t4Qls93y60CJjEQGvJubcb757L41EGV/Cu dA7DlLMwbnzBxnH+5zCfV01VbQkZdTr4ZynPNiD/DHhg+NQkWnh0tMy8EeD9obk1KSmL FVXPKA695i3E3s4xHUvWHGHY4XRom7nrf+lUSUFHzogGkJ+CWvspUdruiA0/EK5E3LDS cNveI3w2KDRqMIZSBy6NGm1KGcyjawnmytAC507ys/xZ/eFoe4rp28qWzYbwPyAIB3KN Tg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=4RRXq/xu9OMsd4uUgy91ELS6VFg3kMZpRpnjzSYmtDk=; b=oM4w1/gr9WLFn3gI22LEyulX6rpXYZhVDudVF0UG3Mb/CE/d4mf6fA1JusIGbqblnv+6 nHrLgYEfUOC9hkGEYZfJ2/KLNRJ+R2hg7PX91DY7Xlx/D0PIL7jFjlhybQcfiw8X6ZLu rsyTg5UoBGsFsPcAWtRp6eXU6u23ntMe2Zm/0BqiiFxkVC++W3CUp5V+VftmA84Q9ef8 /8x6zJq4iMQBmGyY/qocEOBFtVzgGVHYnTB/DG6Y1++/izjcgUdusxUJk3I0jstkx9xN s4d0HfNSCxHJ9wOk2iTGbOJvbXMY31HvjqGGugUxY+pKFuty9BODGs6fr0gh6KoqR/Bk 0w== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by mx0b-00069f02.pphosted.com with ESMTP id 3awq29jgca-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:58 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 187G0lBF157517; Tue, 7 Sep 2021 16:01:53 GMT Received: from nam04-dm6-obe.outbound.protection.outlook.com (mail-dm6nam08lp2047.outbound.protection.outlook.com [104.47.73.47]) by userp3030.oracle.com with ESMTP id 3auwwx487u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:53 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nzGf6d9XA1D3Y7P0VBz9HYOnt6EEN9RI4o4Zu5OMDzuXgoCgRJph1FlQnNmtK/C62Ot5Iq+g/B1Isv98ZO6Fkb+0WurCpdAsplF3HEFajfSwONnvF/PtB6r6ewxzTYgg4vYwblBjo0JR92J0H+dYJmGimrny/hyDefivI+mwjt05eERck5izqRuX3ueJFUeJJrkQgdp/IuHTgCt3QYnAvNIfoyAQb7iZblstGDyW3zqvJlDG3f6inIT+db/mgHsYXGQcr1A7KA/KrX+1HoXEmm5tc+iPjMorgI2KQ4jal5kfce8ULI9dNUYLKxyoFwsplb2fUeyUq+5n7YjT3e5heA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=4RRXq/xu9OMsd4uUgy91ELS6VFg3kMZpRpnjzSYmtDk=; b=ncJb5i2kg0tZIr85qNjRtwskzBSZySA+Cpbo+FeFzNQ3z13Udyp+UDtCHe9b+rL1LJxQxYEVEcY3Ib14lhJTZqGvb+qN6RRjZJy0aUBZjRNQaoK9VSVB7JF6lhOTER1TVCwNgwm5Rf/yj9dR0ePBnN+s0TVpiQVmUqUcF16hzSLlJmbURqO/Zi95sfgzfDoyhOocPyNs6jIxa6FzwCRwq6ibngiS68tJCi7WoUwZtytpLTafap1Hi4p/imuVQEk7D4inO2RShyr0EsNKkY2LQs3wBbXeCN0dc3orW6uqPUX/ijEykS4sbBqk9IrxUHPAY4RTOg7SF7PiB4kBqeVfXg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4RRXq/xu9OMsd4uUgy91ELS6VFg3kMZpRpnjzSYmtDk=; b=h/8cUScCPpR3XDqT+BSXqg6xyquu8kjc2ECrsguLUMrC0Z3udztqZo37yc/XvcuOXPStriCa0iIYtbzo+DKTzpD3uzpSKvI86XJ/+dzCs7d0vNq3Dhqc/dEqcrGoL4tJpypcAThjUwA2Z8zw1wJT1sVhYvS+DpCoAzeubOsKPMs= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB4200.namprd10.prod.outlook.com (2603:10b6:610:a5::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.25; Tue, 7 Sep 2021 16:01:50 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7%8]) with mapi id 15.20.4478.025; Tue, 7 Sep 2021 16:01:50 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v5 10/12] integrity: store reference to machine keyring Date: Tue, 7 Sep 2021 12:01:08 -0400 Message-Id: <20210907160110.2699645-11-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210907160110.2699645-1-eric.snowberg@oracle.com> References: <20210907160110.2699645-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 Received: from localhost.us.oracle.com (148.87.23.13) by BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.4 via Frontend Transport; Tue, 7 Sep 2021 16:01:47 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 4d20db01-30ba-4129-3829-08d97218cd47 X-MS-TrafficTypeDiagnostic: CH2PR10MB4200: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6790; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: DpsmYrAHUdzlD5zU0SaTfZf1adfzq7G++XNKCiokVXZvMgZ35AmF9+orW9A6vTxjJOGD20Rcodk51cGpVdkLib27qtdsgHFL54jB3BvpKQWUghV8GcANV3aVbuR5ICRu3nHLgqN2Rak77rPKpCTtNnMoST0b+jrBvK2WU+bi65np0j+wqqc6n015Mblt7MinNiJ+3m4+Ng8AYJuex1gbztNuAe1llviDOuUp9sHg54O7etceeRui+It60JDoSVmOjss9GE8Y5ObJfS0vMJaLl2PShLtx79usupcu1WdmFRM5KjSMkGcyF99rwyisksAX9P9kP/z3ecufs4eYmUHt+lgxoNQ4q7xjjZyYYuBLLolqBd9gbW+tg9pzYOiEz0uMqnmzWj1d7JrXQMiJq9n0CnW673V3hK6cFwtg2xw/Nlnw9usQw/xCtHEIlAbY8klX/yx0lJwLq1kld84XTrQ3xd9MdtiDjSBQGLypjHkJkyzoFo3SsduMOoPvRWCriESyjm96ktW6qGG6x5RpPLq8HPagDDQSL4IoAVQPHj0bDGvWwKW3mN8N4UCGT1wi3EH/8SAkRa3uw1AJuoNUF68nKOaUlIp26SprkbI1ZOsSpxsPaQtZ/LJm6XbORZvumqPMw7JJgqi4x/jjClTS30CHPBtuCIXid70ftDo47v3s1I8X3btWYZ7eQsHHwK/N5pkXTMlfx/tSknhIhy6FzMh3BT7DrfXsdQ4c+awYBxtI2QI= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(346002)(376002)(366004)(39860400002)(396003)(136003)(83380400001)(956004)(36756003)(4326008)(8936002)(7696005)(4744005)(38350700002)(52116002)(38100700002)(8676002)(186003)(44832011)(6666004)(2616005)(86362001)(478600001)(66556008)(66946007)(316002)(7416002)(107886003)(66476007)(26005)(921005)(2906002)(5660300002)(6486002)(1076003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 9nlEA5+MzqcnjzeyxGFCTlYLSjZGWT8jCtTT/ENwvFkFDc2GjHldtffOLPReouqZytPrHuiPl4TIdA47B5uRAyDEWVZ1Q8bgqXKzB2jE4yoBvVuVWkVYbuCOTdFPV/tew1wOUo91RLF2yeKqBiVT+NoBQs4sgzFpbImZV7L0gwxRo7wJlrOjVhW82tWKH5oU/DcVmgN0r+xTOg9Z4t9oMXJVU//ScN+pS5fPKw3Ep3YytPm4fEXkcucyfloisUHRjDOYoHe12uE4RpT9lvlPwWTQ4gS4Vxtk92k59rtxE3o78NY66oxaKaG2agPKUqMBOpN7rbaDAhiliBqYPJoTZmI1TLoBwnE5r9aye5KhijSFsK1c1YcGp/a8m7q5s38oUQCgFqOPZoS8O7rexHe/6Ant0ivvLm0guSa2cTxH4bTqexFXmWaOx4ifDC7C3e7NWKQgkH/iWlkXfT1iY2SDPOerdlPAileAme8Upxp0KeugyGmzJ37r3z1QR04jYB4nIb8A4Aa96guIoSOcf0ZFEwfFWUitjEuR9/uHHaB1ZPU2CNx2de4f/nr/nY9FT02DYRibNVxpupNjMqaXxW0W9Ozth5zxlGNQsLIOGtMYynhFA+RstzizUBLrvUyF8/Hq893gaRrfs8/rOTDW3aSrCp2zpZoEk5zsk0JiJ0Bzjs+iia1H4Ef9x8jGH48Lb52xoWpn06thWayXwhy0RxMfrl+CkdP2RAAH/KKjeZRVYTzVUEkbEN8HlSoct/HuBuQ3vKCPuwOQXmO2wNgZhHSpDsiShFE7gyz2sVgykZYimV+fQwh/ChEF7LUROa2GwKADy/mP8vSMHcQYhZcjRESYaUyCUFkwMM4+V0Q3gcsPsGAmfb8RLsGT/4hXo50j8CVDJeZdYU8kLaiyUODMR+PHKGzsZERNy6X0v98vjF1q7x8YEMsE8yEuvK1hCeeUxoRx0LefmKXxNjm4buiC9JD/jQl+MVaPPEWiXg1quFo6W8/RrLA5Um/phDMgfYMbyXDvlzRpOQ3uYqw6aMgF8Fm6nY+2BXXJiUIBGbBqJEogic3NPDuOeL9JknwnW7U2bglgjAagopEHOHR382bxZ6lGixBehn5/g/c3GyfcVtb/lkFQhKCr8euGNbep99y4asdbR8r6URK5iNCLJ9KVg2BxPA1oGbydZ6xM65pzJh9xqLYScE9XbwFHr1nIcUbQcmigjsO99OW5gwoe4o6c3RGbL8orsZ3S2P71G+OvsXhCzYG0c/qqZhF1S1DDKZ/tYtyFyfYr2Ro/p/mBbcTd2YKT3JlvruYMMx8gOdO6N1b7FizfsgBRnrwoE/V5bAMSybEn X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4d20db01-30ba-4129-3829-08d97218cd47 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2021 16:01:50.0554 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: tXU45Ri67vkHh5qySve8ZVvB2bctvm4iVIfsHvAYhnzUC2aNB3GDJhJLbc4BeFxVqcM3FHkXyiPg57GzXOPg5G9xcj1eJ8I/JaMZ6PA55hE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4200 X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10099 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 spamscore=0 mlxlogscore=999 adultscore=0 bulkscore=0 suspectscore=0 malwarescore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2108310000 definitions=main-2109070105 X-Proofpoint-ORIG-GUID: an7kmTm7bTHX2tLtYW25WmikusDD1yzj X-Proofpoint-GUID: an7kmTm7bTHX2tLtYW25WmikusDD1yzj Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Store a reference to the machine keyring in system keyring code. The system keyring code needs this to complete the keyring link to to machine keyring. Signed-off-by: Eric Snowberg --- v2: Initial version v3: Unmodified from v2 v4: Removed trust_moklist check v5: Rename to machine keyring --- security/integrity/digsig.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index c3c1939be2f1..0dce2775f3c2 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -116,6 +116,8 @@ static int __init __integrity_init_keyring(const unsigned int id, } else { if (id == INTEGRITY_KEYRING_PLATFORM) set_platform_trusted_keys(keyring[id]); + if (id == INTEGRITY_KEYRING_MACHINE) + set_machine_trusted_keys(keyring[id]); if (id == INTEGRITY_KEYRING_IMA) load_module_cert(keyring[id]); } From patchwork Tue Sep 7 16:01:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12479079 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 25875C433EF for ; Tue, 7 Sep 2021 16:02:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1181161132 for ; Tue, 7 Sep 2021 16:02:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343671AbhIGQDj (ORCPT ); Tue, 7 Sep 2021 12:03:39 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:6304 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242422AbhIGQDc (ORCPT ); Tue, 7 Sep 2021 12:03:32 -0400 Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 187EcutD020831; Tue, 7 Sep 2021 16:02:07 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=NtfnIpQuMh5wq7mxAVtRi1Hn8ORlntMBKYIbvv+NutM=; b=mGVOycubz8AlN4m3rBDoTUl9ZcpqMsvUt6i/3y9kJX/FDgJYcENEFhxI3IJkHy5gGGUH pI7IJ1wSqs7Nm1jiNYTGwPId1NjEE74fQec0STc7227ihHwUfLf76aLoChPgij26gawE AvPjF+JiAmN2FJJyoS9mH2yr7L3sq+HL6uywPKHQilMGiPCa03lGlQy0SvpFbIyv7Oex 6lpZOkv1ilLdgCtVGe5Yi183yLu96mtsVH3CZH0Y94Lk2Y4Ec2TA0kYTF/KjN7msmj+w xMBaF3/yeVfoekmTI0zVtaAKhLwH0qbZ/GctGPCDhcGAtniTfCL5Q5Zq6Ql9/zstQn3o YQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=NtfnIpQuMh5wq7mxAVtRi1Hn8ORlntMBKYIbvv+NutM=; b=OA34RjF1d0UQGWCMvgzj+8TSW2EiuspSzSocl+cpaunbWJlhX6lmTxvtANxmh7zeLENJ 8vLIg1ijAAk6fACvxEbnEZ9VwdTBAHEhB4tXhdI8TKvdt7rYIpZbx5xMTCvFu4RpFPeV fSzqK5SFTkEcfIXIwfRuSrVSyTtlSe/KCqoJ+n+xSX3OwF9bvD07sxCw7ItzkmLXDG5S 9nq0M/bbpHAPqvG47VmfiZcKIcVgkRUTg2MKKU/cenZHUX8kFjdEc2Fi+AFzFX9vku8S RX1LfK68XHPBrxj3gyGgQ/KBsdrivEVpb6B7ChThzH4TAHrgyR41X5+hS0pAJlZCJP57 sg== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by mx0b-00069f02.pphosted.com with ESMTP id 3awpvnah59-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:02:05 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 187G0lBG157517; Tue, 7 Sep 2021 16:01:54 GMT Received: from nam04-dm6-obe.outbound.protection.outlook.com (mail-dm6nam08lp2047.outbound.protection.outlook.com [104.47.73.47]) by userp3030.oracle.com with ESMTP id 3auwwx487u-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:54 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YDa79B3m7CZZH1IJDNmUXXB0Sa2vZwBEKVqNXpcDN2RYXP+9kNpcMd3iUSahgvNEJmnYLqNT2DUyxeC7qH1U3ZIPdYTgg5us380wM35l8GPfpxfibgcq8+PmjjSdVS87gWAyxziNrGBhO4+ezyCkleN/vd8sHrXKABXwslyuxzTMz1hP3M3kgvM2PmZDmGklm4kdoIa4CGpqgjF9CfPIvhxcqOoHdjxZQP+UTVDgiRaiudLH5W6gKBQDZnwjJM5XMOFN7OmP47qHauCmlncKXwXqJMRUQ/SzvwDH7tZs+fEKbViiHyONfzGT2odKYWxvcUVSJcXW28FfmGGFfRWFHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=NtfnIpQuMh5wq7mxAVtRi1Hn8ORlntMBKYIbvv+NutM=; b=VgZrfD8QnbbxUoUHbioL/9kHJKCkhIQpv8+XBHe3MZZmZJbXJl3N6T9aWtakflCDyVN/F33xNEKqW6O8QDUP86c8Nkwa4t3W3vv9UXJzcoL4w61hVb5KmrXlMPAic4mLJj9g7sun2q5S9oPeKmcX9DiAFk6nFSFx3IMLBkRZiQe8LKx5rRDdlhOTOsTjNXr5iVjXIwIogGW1dA7oEOiB3m+t411UroMip45cZw2eqfiRxYWRU6UPcckHUyEtq8nqsSGSA4/7C2uHZafHWl8khUPARYPJkBYXRgHGK2y8O3XAuJxFd6AZH1uTEpndywYP8v+zXqJOK/gCz5ouSfF7kQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NtfnIpQuMh5wq7mxAVtRi1Hn8ORlntMBKYIbvv+NutM=; b=JZidYqvE2D2Q85kXsUdOvO/TwIgdzmTOxWGSPL8sGM1Gv+lx40/Jf9PTwXOQj9CLKIl2GEGArrj+DSxc/zZ+Bo6rO74CMwuMBraez3fR9pf1xIjyvN6QJ6nj9Rrwk9HAMZYJnBaufJVaifk+pPQMw/FdC585HLWFIT2Wmk3OX04= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB4200.namprd10.prod.outlook.com (2603:10b6:610:a5::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.25; Tue, 7 Sep 2021 16:01:52 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7%8]) with mapi id 15.20.4478.025; Tue, 7 Sep 2021 16:01:52 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v5 11/12] integrity: Trust MOK keys if MokListTrustedRT found Date: Tue, 7 Sep 2021 12:01:09 -0400 Message-Id: <20210907160110.2699645-12-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210907160110.2699645-1-eric.snowberg@oracle.com> References: <20210907160110.2699645-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 Received: from localhost.us.oracle.com (148.87.23.13) by BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.4 via Frontend Transport; Tue, 7 Sep 2021 16:01:50 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 49aa27ea-065e-4166-1f31-08d97218ceaf X-MS-TrafficTypeDiagnostic: CH2PR10MB4200: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: /N2e7kJMhQhIFm/dtctgwD2yX4wczkNhbFQvX/OfgP1kzFn2c1Mra07i++te7C661OvhP3aiT/yovFrGKflyYC1Bx9m2186Bq7WHsXsyvcLyEGbAZYlNaIOrjKqllZocp50e0gDqDpAgb4JQ1UICuIdwIYHhs35YpFxbGB1w2KZcbEEy9aEkpmFd4uGHtvde3PoHcndrZ8Io6tMfN4XPGKvQktW/Y1HFnH0wcOTtrCb9WhvPKDxCF42w/szpwk9zz3IVfw+ouPtIslLcOdd9t46v9tuwnminBGr1qF4BnyLGlj8dNMv8OfF4WzNvsS8782JJp6flzsF+t8AD4c5qwx01hzyc6Wf/mXpdhxpXZ9VSGp7poa6tcrOnIVLuadl6/+7Y/HR/ZtuxwRRmpXd/Gm2CSTRy0K8TKb7lqgkw+nDxClhfduf7mbQ1XOlOIxQmrwzr1lqIo50xiZuQQDhTmOhYDb+Zg4PLtBkAPKqwvw1L2j+8mnBbXw9zVkNeG4uFVrjvE0C+KKB6wMu9qn1zFYqpia/WPxgIbK95PdRaqkBrY8+N5/oJBoOEU9Hv5Wb8y3B/sGY6Mize11+q5f5V+uTQrfcodTRDl2bSrjrIsB0hkkk0AXTFzFrAO27kqbwFZj0r7nzZI6k88tJLQz68wpOsxRPxAailfEh0TvcIlaperDB2uEzMiElo4/jnJpMNECsyM1jUmV2+w07TCTD/LRPfn/9/zld2p7kdKR6xo5U= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(346002)(376002)(366004)(39860400002)(396003)(136003)(83380400001)(956004)(36756003)(4326008)(8936002)(7696005)(38350700002)(52116002)(38100700002)(8676002)(186003)(44832011)(6666004)(2616005)(86362001)(478600001)(66556008)(66946007)(316002)(7416002)(107886003)(66476007)(26005)(921005)(2906002)(5660300002)(6486002)(1076003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 9qGCsmDCwveCSGlkdiqpj2xZTWGaNPOQ+H8uUg12EUHRWGTSk592MCEU6BaVeK9DD0rWuNkLop5fjdztDyDQ4qZzxd+3bXvDFgx+oHEHZg9/mrX2tUDpsiwgZZ13mqnhUsXWcWpGg7EH61vH6powrTMiss1gKn0DO7qBLq5V1kZrB25NmYN+75b17zBH47NCmj9vh+VuPvdkjXUxNjR7ynLolqf+OWv5srKjej9qIR55s5YFS2Rk6qrCmwb0/Hl0+gJC5wIj6L9Ezb+ZXO9V4Jp2x4xa2gV06fR0RXt4RBmMldk8nJbQP4bPHfv5dE/nYjmUkTBYRpZluazVToGZyxH2y+VYrdSX8V9O1G5hHiH9SDbATboGYDEiBVn746drjJBjViZf7iJK2B802nMPMbQNMOhVM/Klo1vOKusqnAA/+9oiH8YXJsi7GTRZ5Oz6DQHvIRs+leC7+5IfeuQUOKHyDKVPLeW37kHQrDCp/PR9pPQKh3LoANiCIfzOQuQzrnhc33csKnZJZnJRowf1M8bbgSy/DfsN+nAwAv0otRKQeF3fZaGP10aaxIOOE8pD0gPqPzI1tH1mIsQv8yVvfZCZlW98+bGF9IIx8nhNEYONIVRBJACVAjGfo94NWkHEP6jO5iPM224dTEIOu68x9zoXvVMBGydmPh3ym/Bvg/ClcjkSqi8IkNLmvPtQ4NzOvaSwFoRnGUXlZDCwgz9/Kp3GDmL0Oaq8nSyMXNgrugJqrKSjnA+g4fjBcPQPgcFu9MhaX1n2hNgSPo51UNqikC8JZuA5vc3Qw60r9YKL4lHrbPpBgbHiCjqsz/NdLKV/wv5hzgL3uDbhmcaeUhSy0xrlH6zdmojm8v2QB5zJ8KTGRnwtvD/EVaVkUAzVd1wapRuZcLqHtHAr7yCXspgpemhr/hoEhThzm6qIIv6uIYjQkVad/O8AXtgf/+y4QT6OhyuglkFvngiUTEcKTWeuO1qfJh6zWCZB45xYtrQz4v3l2NnfUGpLbQoPI1zuIQSNfaYYfFi6ilcpy32dGQqqJiMoQDUMGXkhUBgTeZGouGzbMV4ONTiemZKdb0+r9NtcxlYYxGYcNehxQzctUVNTA4alpX8fE7MoLejlPbQH+O7dIX9Ki3hkA7EKil7hA2h+pPSMaVTLM8aaLVBLXpGQe0nskGqdI3evpDRQJv5/FXcG7TGAQeK1gGfJ+SuEf2bInVAGhYY3mX4r6YPW+pi816C5aKPIDrU7xLeaQXIsT6zUe9TKZXPXZL0BiaAnWc3iQPVSSZvoo5XZIDlpnOyrXFsW5gMuzLjgeCr0nqd11UQIfbZSt0VnpnAQ6zag0jHO X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 49aa27ea-065e-4166-1f31-08d97218ceaf X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2021 16:01:52.4559 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 1anpfStc0DTBqRwQJ0XBW5WGDjI7GMIA6iBkAwmuJpyqdjdEdapsh7PDy/cRG6KrWQlqFU5T0jrf/E0tPFa/bwUIu6VGgvc/TVprmuDeqXw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4200 X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10099 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 spamscore=0 mlxlogscore=999 adultscore=0 bulkscore=0 suspectscore=0 malwarescore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2108310000 definitions=main-2109070105 X-Proofpoint-ORIG-GUID: 54Y213nLVigV26R-yZSRDXtLuSLBm1f_ X-Proofpoint-GUID: 54Y213nLVigV26R-yZSRDXtLuSLBm1f_ Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org A new Machine Owner Key (MOK) variable called MokListTrustedRT has been introduced in shim. When this UEFI variable is set, it indicates the end-user has made the decision themself that they wish to trust MOK keys within the Linux trust boundary. It is not an error if this variable does not exist. If it does not exist, the MOK keys should not be trusted within the kernel. MOK variables are mirrored from Boot Services to Runtime Services. When shim sees the new MokTML BS variable, it will create a new variable (before Exit Boot Services is called) called MokListTrustedRT without EFI_VARIABLE_NON_VOLATILE set. Following Exit Boot Services, UEFI variables can only be set and created with SetVariable if both EFI_VARIABLE_RUNTIME_ACCESS & EFI_VARIABLE_NON_VOLATILE are set. Therefore, this can not be defeated by simply creating a MokListTrustedRT variable from Linux, the existence of EFI_VARIABLE_NON_VOLATILE will cause uefi_check_trust_machine_keys to return false. Signed-off-by: Eric Snowberg --- v1: Initial version v2: Removed mok_keyring_trust_setup function v4: Unmodified from v2 v5: Rename to machine keyring --- .../platform_certs/machine_keyring.c | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c index 948ec6c738c8..635ab2b9e289 100644 --- a/security/integrity/platform_certs/machine_keyring.c +++ b/security/integrity/platform_certs/machine_keyring.c @@ -5,6 +5,7 @@ * Copyright (c) 2021, Oracle and/or its affiliates. */ +#include #include "../integrity.h" static __init int machine_keyring_init(void) @@ -40,3 +41,29 @@ void __init add_to_machine_keyring(const char *source, const void *data, size_t if (rc) pr_info("Error adding keys to machine keyring %s\n", source); } + +/* + * Try to load the MokListTrustedRT UEFI variable to see if we should trust + * the mok keys within the kernel. It is not an error if this variable + * does not exist. If it does not exist, mok keys should not be trusted + * within the machine keyring. + */ +static __init bool uefi_check_trust_mok_keys(void) +{ + efi_status_t status; + unsigned int mtrust = 0; + unsigned long size = sizeof(mtrust); + efi_guid_t guid = EFI_SHIM_LOCK_GUID; + u32 attr; + + status = efi.get_variable(L"MokListTrustedRT", &guid, &attr, &size, &mtrust); + + /* + * The EFI_VARIABLE_NON_VOLATILE check is to verify MokListTrustedRT + * was set thru shim mirrioring and not by a user from the host os. + * According to the UEFI spec, once EBS is performed, SetVariable() + * will succeed only when both EFI_VARIABLE_RUNTIME_ACCESS & + * EFI_VARIABLE_NON_VOLATILE are set. + */ + return (status == EFI_SUCCESS && (!(attr & EFI_VARIABLE_NON_VOLATILE))); +} From patchwork Tue Sep 7 16:01:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12479125 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C7BD4C433F5 for ; Tue, 7 Sep 2021 16:14:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id AE76561130 for ; Tue, 7 Sep 2021 16:14:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243467AbhIGQPx (ORCPT ); Tue, 7 Sep 2021 12:15:53 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:24942 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244135AbhIGQPw (ORCPT ); Tue, 7 Sep 2021 12:15:52 -0400 Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 187Ee9ob008807; Tue, 7 Sep 2021 16:14:23 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=hMPUwoX0ykLZrhq7XURW+yr/hh4P3nN+bw++rJGsIwo=; b=ygegpuqDVyXsrrvBHWAhffmws4Ao64JyyU3zcI6Wvx5U4XlVP8DPg/Z8OREKr+lQnvag 494fGLUVYLlLaCTNS9FlzwSaQ4IhVfq14rRi4iuNFIeSuIVSQPXbHw6gBzjJ8RdrHjht kASz8iJ3ltH0BfM61cTwb8UKJh+w/FRVvRSj/Db9pSQCtysnJUIRQxabe4tmk+yBfxnW 0PIgci9NZ31CUpnYBVCyhqwdjbvO2p8D08ebu96ye46XTikYUZ6SAS6Yy+vBZBJBos+w scDP0ur14w5256EvMH8tut0E1lk7c6cl0cqcwovH6c0mEcme+Sr9Bm+PHArssh7IkEbl dg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=hMPUwoX0ykLZrhq7XURW+yr/hh4P3nN+bw++rJGsIwo=; b=ctlYJrc6JaolEztsdhBjkxIXGPHalTHhuQR9nNSvqOHqZoXarfnPKD0MnOBV0n+vOcQf jxYeRRShYfR5pKqWVRE6meruwn6wpmwzSZZhmoCdXV0zihxAfzCeQxHITSg/CKZbNjrc c0D+8f0JepfI2R7nCkxvnOGbNhIY84K5Puj2aIb9dl1Krvy3SXfsPzfJGPlb+plIpM0S SpiYKR9T8i+yKao6OZwNN54P2GxiJFH+g/b3DnW177269215vjzwHGfRKkYsD/fO5KwL roW4WKi0zYOE20CK74dyHZ2Lic0l4SBfQAyGLXvOuBbsKw84KLpaSgqOfZxbT4r/r7Lf 4A== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by mx0b-00069f02.pphosted.com with ESMTP id 3awpwktnab-16 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:14:22 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 187G01j0185384; Tue, 7 Sep 2021 16:01:57 GMT Received: from nam04-dm6-obe.outbound.protection.outlook.com (mail-dm6nam08lp2042.outbound.protection.outlook.com [104.47.73.42]) by aserp3020.oracle.com with ESMTP id 3av0m4t5g7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Sep 2021 16:01:56 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Wd5wP4DHaM6g8akmx5kP+NJmyR5+L8Kc7ACfpbdtp4kadJqRKfrVR9aRHZjQWtctx3PZiA2YXwnSXYcLMhQ36kFwuyvGqMbAckaIUjdTXCmAItOJxsoC9U4kYQYzwidpgMtnxJBoldw6m0ewuKB9bOAHDLTyfVNkzbbV+6qNTNSs6hHaa/kT2Bq/K6J4Yvu9SBusyQbJA3tuvE7j7PWA6t/evYybNziOA4ii6fnqvtva0y04/HPfZQL6ugxT8U4hn5hrvIvIXPcmKTGTiC7xkFRiOfbmXprgPfZFO1yRZJrZkJhEBHDdOzrmp+panZzLqMLgAsfTQJ5g1CwmK1Mzaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=hMPUwoX0ykLZrhq7XURW+yr/hh4P3nN+bw++rJGsIwo=; b=hbJViqlh8I64mWbe21qfOswia6DjrjGD9UsaCJIiSRldttey2lojiu8BotxH/rkG9fUpKZ4X7rxmv7dvAtt2BN44CcwsEXAndplr+qVQedAcsRFn+PtGfMNn41XHXD/Vm0tPg2PZ3Tl9VeVcoS2RNVQbAa6S/DCmak6JyKo/M4OI/uO9UY0vKj7H1r8FihJFxt+ZhdcqJVXCx9sTkZb6rJUmgg/paXcryAn3YukLlXAVpnYDsysF2KljJQ9cxkls+qruB+jOK+qdsm6INZonpRrhYpxyn8z6BTqqlQg0CmRrnCtHyE2XLQx6lfMp/NhS7at5oBQFvkAqt71GXJ324w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hMPUwoX0ykLZrhq7XURW+yr/hh4P3nN+bw++rJGsIwo=; b=dQUoCt2wYgDbw6SnrURh/CbYwf6iw0kMO8BrUGL2WnR+jSfRggmUj736DTPryfJspb4fDdGrw7udw+8o52akDL6nJ05Xtnv3RMqy7FleRXuZlAFflX45NP0g7Eivyzm/ElcM2m2QeadSTWz4NSh6coUxaDNoLe0m1hAtVvX5ptg= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB4200.namprd10.prod.outlook.com (2603:10b6:610:a5::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.25; Tue, 7 Sep 2021 16:01:54 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::340c:c4d9:1efa:5bc7%8]) with mapi id 15.20.4478.025; Tue, 7 Sep 2021 16:01:54 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v5 12/12] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true Date: Tue, 7 Sep 2021 12:01:10 -0400 Message-Id: <20210907160110.2699645-13-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210907160110.2699645-1-eric.snowberg@oracle.com> References: <20210907160110.2699645-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 Received: from localhost.us.oracle.com (148.87.23.13) by BY3PR05CA0023.namprd05.prod.outlook.com (2603:10b6:a03:254::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.4 via Frontend Transport; Tue, 7 Sep 2021 16:01:52 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a4ced778-c969-49d2-4437-08d97218d022 X-MS-TrafficTypeDiagnostic: CH2PR10MB4200: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5516; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: WOJeZ67gDZJUJIcxCITImu6bIMBjS9C0Jx1oOvJwlvp4FPsWiu46AQTVlZbfN94/q7AjAbu8mAPMm3F7EJ7P2mFwBYwUAutLpEzo4MIKY+RgoaGZ9uoh7Xe+QOGO91Bf2ipS407JGIXHqQ8in91TtsH2vPI4W9fKIHrgtL5lMfa9tmlMpTbQlC71GLjNVaiu2IlfGpYogAPRUHkhr3LN45gphi0VYzvfhwo0tEGAxP288fz4f+0kboEucUlpEDaQYNLR6ApQAm7/DLrAXS9P1sJO46qfmFJLR7rKANCvz2drj8z8/O8zi20vqxIqtDNpZSobFLXhFvCEZ+Chf846Jn5P3+JHVxbH9Cfns1NmFLoPdZHuPTmVnW8WStMTRshOonbbyG/+3ZUkZniJRtApijALJnWokklwuIfgXOrq0Uu7lt/f89En63ApvSbd1EYnpx1xU4p27+wbNke/jjrf64kmINBeriMkApyciESG+hgQ8q4JyEcR6Dp0WSSy0UzE00SXlsB6WSCr9Wl+30c0DK/rxsRclVpfuIiwpGExQazOYsLp0B73xSTOs5pNP9PGuYpPlGNbA2pIx7KcDM6C1K7BjbVEqLD9QHyKwKpZbW1y7jV8F1cGTSXGBfAmpgMJ155MeExh2ZF3wNyJVwTV8BKeJjRtPKfwCF73lx96aZRrSvBDC61rT/SfIDzDsDfBKk2eariP9ZBmc6vhce+donVE5jDl0Ui3hoVRXWVhfiU= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(346002)(376002)(366004)(39860400002)(396003)(136003)(83380400001)(956004)(36756003)(4326008)(8936002)(7696005)(38350700002)(52116002)(38100700002)(8676002)(186003)(44832011)(6666004)(2616005)(86362001)(478600001)(66556008)(66946007)(316002)(7416002)(107886003)(66476007)(26005)(921005)(2906002)(5660300002)(6486002)(1076003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: MlIq1fDmGggITCZBVxqBpO4S+5/B9/PwfhZUwehi6dSt6KpcKDKOgsn2zxJmt1EGlevGOCiFd6C+bmh/DZjp+BCSReRxi+yz/qjbau3dIANZ96o2eoSPyJNpdPRIV2iFdg+HltAGTev4gIyRAJ2MlDB7XrUj6vKK65v71yo2VniDMtXj6ADXO7WtqsMEo1DXdaRIxyN6atlvu+19iV7DfrNa3Ds2kyi3BHKcNexj+BGizp9f2HUBuAmOdmhhveScQNpkp7s4c7d1IMjPeEovHZZ90aFB/7ltxwTSF1E5bx1bPit1WqgYt+ch5VyCsxgiU9tIj8rebZeS1Hm0Ye8kYdT8CprETAAKVkWMXQfAJsNkKb8ox8asNiicSZs/iAnO7oh3rI8b0dXQYb99RJHA/wB0I5KL11dVlX6JeLxmElcNeQyXB87xMGY2t+jacJG26i7l1+Z9tWeHL3LMGNnEYvgf6cV+WJJS0TRkVa5ScqXgn5bRy3+zCD0BboZ0t2xDxG+kcQAJesPlyETMMpZ1VbXHLrtpX0lTUlHmkffSF1AQnsFIsU49/A1k0+1iiVR4LbsRB7dmX+AEUm9rt588O+0KO4SdS2RH5iKOWG+YBauRqED1Ax6LYwJ6hVIpApRIpjD3EmSyYHdB/WgK8VoiQGnd2g094YZ3ACM7PINfXA5O7fm5I8OgzLFwDoGwuvveYP+KVYB6nRmUPh2TPIn1dTVltGE/vh3vid+V9/LMnsv7ljJdUo3StdCg+iwEx5V7/5M7XKCg9fnOdjyo81/KDLPxkdLRFK20HHLe11oQ1WqhODM6Tzn//oIoTg7HlE2lHuHWTdo1zw4VZpukJl3gvCNofdIb0aP37q4eBqu8gnxtgRdlnsmUZ55H7lCC6GSC8ZhyqMIaE99aQkz16n8cbF/eJlha6d3i4wrH2/u1+ze6u9gYFXOpVElxHNZgOZVXqCRIn3qPuX8YrEOW4MPBOs6Z7r87hZ0oM9XBTKwpsslz5r5YTOP6mmYyjV4VtmudNI6QsqS0hlkCZMW2YrjknvAgIJm/sCfWKd/CP5JcnQsmB2cBILHko+Q8020BolMOSOwa9RF1b7/S91MNcaqSQaZUM9IPdcIyfTCdZq0uoWTrqLApVUQvAPkK6htpTzeQB4y2P9DRD7JFXxEsBJHvySl5bH8JZQyizettaAj/k7PCMuUFpcKg6Q7ADjqn70wWXCswetHWe8VT6qwy477TpJ6o9Lk5OZmyGOhrtxnhi0p5zMtz23iSTKO8e7nOBG7t8Ft+knuI6PpqDJLHs4dskz+/VjJF35PHdQ7rXvo4aVl53gUmZal3u+35pdaXDmIj X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: a4ced778-c969-49d2-4437-08d97218d022 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2021 16:01:54.8384 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 0KSR5A1hg/j3tgHGkldykJVVGGw96gcDg3GEpcFCApid97B5t+Gd4S3PwNpVnXop8k0e40OUW+Zoq4kv2gxf3ulnWh2XDeyeN2wRY6k49Uw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4200 X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10099 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 adultscore=0 phishscore=0 bulkscore=0 suspectscore=0 spamscore=0 mlxscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2108310000 definitions=main-2109070105 X-Proofpoint-GUID: vJo4onQKQjk1zU-yJwPC0Z0jcV0BSPyw X-Proofpoint-ORIG-GUID: vJo4onQKQjk1zU-yJwPC0Z0jcV0BSPyw Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org With the introduction of uefi_check_trust_mok_keys, it signifies the end- user wants to trust the machine keyring as trusted keys. If they have chosen to trust the machine keyring, load the qualifying keys into it during boot, then link it to the secondary keyring . If the user has not chosen to trust the machine keyring, it will be empty and not linked to the secondary keyring. Signed-off-by: Eric Snowberg --- v4: Initial version v5: Rename to machine keyring --- security/integrity/digsig.c | 2 +- security/integrity/integrity.h | 5 +++++ .../integrity/platform_certs/keyring_handler.c | 2 +- .../integrity/platform_certs/machine_keyring.c | 16 ++++++++++++++++ 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 0dce2775f3c2..d495c4e49240 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -116,7 +116,7 @@ static int __init __integrity_init_keyring(const unsigned int id, } else { if (id == INTEGRITY_KEYRING_PLATFORM) set_platform_trusted_keys(keyring[id]); - if (id == INTEGRITY_KEYRING_MACHINE) + if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist()) set_machine_trusted_keys(keyring[id]); if (id == INTEGRITY_KEYRING_IMA) load_module_cert(keyring[id]); diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 730771eececd..2e214c761158 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -287,9 +287,14 @@ static inline void __init add_to_platform_keyring(const char *source, #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING void __init add_to_machine_keyring(const char *source, const void *data, size_t len); +bool __init trust_moklist(void); #else static inline void __init add_to_machine_keyring(const char *source, const void *data, size_t len) { } +static inline bool __init trust_moklist(void) +{ + return false; +} #endif diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 445d413aec74..d78dd66fb048 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -82,7 +82,7 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) { if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { - if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING)) + if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist()) return add_to_machine_keyring; else return add_to_platform_keyring; diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c index 635ab2b9e289..eaef1efdb261 100644 --- a/security/integrity/platform_certs/machine_keyring.c +++ b/security/integrity/platform_certs/machine_keyring.c @@ -8,6 +8,8 @@ #include #include "../integrity.h" +bool trust_mok; + static __init int machine_keyring_init(void) { int rc; @@ -67,3 +69,17 @@ static __init bool uefi_check_trust_mok_keys(void) */ return (status == EFI_SUCCESS && (!(attr & EFI_VARIABLE_NON_VOLATILE))); } + +bool __init trust_moklist(void) +{ + static bool initialized; + + if (!initialized) { + initialized = true; + + if (uefi_check_trust_mok_keys()) + trust_mok = true; + } + + return trust_mok; +}